Open Stack

Hi,

A colleague at Red Hat is working on an effort to record signatures of
release artifacts.  Essentially it's a way to help users verify release
artifacts (or determine if they have been changed) independent of PGP
signatures.  You can read about it here:
https://github.com/merklecounty/rget#rget

It sounds like an interesting and useful effort, and I think we can
support it at little cost.  If we wanted to do so, I think we would need
to do the following things:

1) Generate SHA256SUMS of our release artifacts.  These could even
include the GPG signature files.

2) Run "rget submit" on the resulting files after publication.

That's it.

Both of those would be changes to the release publication jobs, and
wouldn't require any other changes to our processes.

As mentioned in the README this is very early stages and the author,
Brandon Philips, welcomes both further testing and feedback on the
process in general.

Thoughts?

-Jim