GPG signatures for source validation about lurch HOT 5 CLOSED

Where can we find the digital signatures? I could still not find any, do you upload this package somewhere else too?

from lurch.

I will not sign code I cannot vouch for. I'll reconsider this once OWS starts signing their code, which I have to include in my source archives.

from lurch.

What? You are the publisher. Signing only helps to verify that the code does not get modified between your, github and the end consumer. It does not give the user any warrenty, unless your license does, which is not the case. So why not help improving the security of the packaging of your security? You are a wise man, you implemented omemo for pidgin, please rethink your decision. Thanks.

from lurch.

This plugin is just glue code, the main work is done in the submodules, which include libsignal-protocol-c that does most of the crypto. As long as not all the parts are signed, especially the most critical part, I think this is worthless and I'm not willing to deal with PGP for that.
Even if I just sign the resulting tarball (which as I said has to include libsignal-protocol-c), because OWS doesn't employ signatures I have no guarantee that it wasn't modified on the way to my computer (as you said yourself), so I don't want to mislead the users of this plugin.

from lurch.

Imagine someone else wants to include this project in another project. But he will refuse to sign his project, because your project was also not signed. Then nobody would sign any code. Your choice.

And beside this it is also a shame that the signal guys dont sign their code. Even more important than this pidgin addon.

from lurch.