Feature request: Signed releases
avanier opened this issue · 2 comments
avanier commented
Would it be possible to have signed binary releases? Right now, if I want to get binaries that I know represent the code available at a given version, I have to pull from GitHub and compile the code myself.
GPG FTW.
Typositoire commented
That'd be nice indeed. You don't want fake packages to go leak all your secrets xD
Caiyeon commented
Yes, I have thought about signed releases and will likely do this in the future. Although, I'm not sure how far in the future. It probably won't be in the next release.
A signed package does not guarantee the source code from which it is compiled.
But the concern is valid. I, too, am paranoid, and would expect signed releases in the future.