On Thu, Aug 24, 2017 at 11:02:46AM +0200, ilf wrote:
> I want to stronly advocate for OpenPGP signatures of releases.
>
> HTTPS is good, and it's the new default:
> https://www.eff.org/deeplinks/2017/02/were-halfway-encrypting-entire-web
> The hierarchical trust model of X.509 make it suitable for many things, but
> for signing code that we build and run on our machines, I would like to use
> the strongest available trust model.
>
> The OpenPGP "web of trust" might be a little clumsy to use for some people
> and others might not have a trust path to the signing key(s). But when you
> have verified the signing key, it's the strongest cryptographically verified
> trust method out there. I'm sure many people here can use it correctly, and
> surely it's now suckless' fault, if people use it wrong.
>
*not :)
> Providing an OpenPGP signature does not hurt anyone and does not force
> anyone to use it.
>
> If people trust code from git, http or https - nice for them.
> If people trust checksums - nice for them.
> If people want to verify code authenticity and integrity via OpenPGP -
> please let them!
>
> Thanks, and keep up the good work!
>
> Mattias Andrée:
> > * The number of people that actually know the developers of a individual
> > package is negligible, so there isn't actually anyone that the users can
> > trust.
>
I fully agree. We can use the technology since it's good "policy" anyway until
the trust web expands. If we don't use it then it's assured it won't/can't be
used.
The first start is exchanging PGP keys when developers meet or can exchange
keys securely.
--
Kind regards,
Hiltjo
Received on Thu Aug 24 2017 - 13:27:05 CEST