Since 2024-Feb-15 the released tarballs are no more signed. Is it by accident or on purpose?
Looks like the cdn is not up-to-date yet?
docb@X1E:~/buildservice/Application:ERP:Tryton:6.0/trytond>wget http://downloads.tryton.org/6.0/trytond-6.0.45.tar.gz.asc
URL transformed to HTTPS due to an HSTS policy
–2024-04-18 10:12:38-- https://downloads.tryton.org/6.0/trytond-6.0.45.tar.gz.asc
Resolving downloads.tryton.org (downloads.tryton.org)… 37.59.44.187, 2001:41d0:8:67bb::1
Connecting to downloads.tryton.org (downloads.tryton.org)|37.59.44.187|:443… connected.
HTTP request sent, awaiting response… 307 Temporary Redirect
Location: https://downloads-cdn.tryton.org/6.0/trytond-6.0.45.tar.gz.asc [following]
–2024-04-18 10:12:38-- https://downloads-cdn.tryton.org/6.0/trytond-6.0.45.tar.gz.asc
Resolving downloads-cdn.tryton.org (downloads-cdn.tryton.org)… 185.172.149.103, 2a0b:4d07:102::1
Connecting to downloads-cdn.tryton.org (downloads-cdn.tryton.org)|185.172.149.103|:443… connected.
HTTP request sent, awaiting response… 404 Not Found
2024-04-18 10:12:38 ERROR 404: Not Found.
OK, that explains, but does not answer WHY signatures are removed
Friendly ping.
What is the stance of the project/maintainer on this topic?
Especially in the light of the recent xz backdoor signed tarballs or commits are at least one item in the chain of trust. Without signed tarballs anyone in control of downloads.tryton.org could submit malicious content, while with signed tarballs additionally the key of the release manager would have to be compromised.