On Thu, Aug 24, 2017 at 12:02:35PM -0500, Joshua Haase wrote:
> Laslo Hunhold <dev_AT_frign.de> writes:
>
> > On Thu, 24 Aug 2017 11:02:46 +0200
> > ilf <ilf_AT_zeromail.org> wrote:
> >
> > As nice as PGP sounds, I think it has seen its best days already for
> > general usage. I know no package manager that implements this model
> > (tell if there is one). The ones I know use hashes.
>
> pacman uses signatures to verify it's packages and a WoT stemming from
> Arch developers which you have to accept locally.
>
> > But it means more work with questionable benefit. It's already
> > difficult enough to keep the patches on the site up-to-date and even
> > (as Hiltjo discovered) to provide checksums for all packages on
> > dl.suckless.org. It's easy to delegate such things on the mailing
> > list, proposing them (like in your position), but not actually doing
> > anything.
>
> It's not so many work if git is configured to always sign and/or the
> package build system sign by default.
>
Yes, part of this work is already done. On the hackathon is probably a good
time to switch this over. I think signing should be done locally however
by the repository maintainer or owner.
--
Kind regards,
Hiltjo
Received on Thu Aug 24 2017 - 19:28:18 CEST