Re: [dev] dl.suckless.org file integrity github project

From: Mattias Andrée <maandree_AT_kth.se>
Date: Fri, 25 Aug 2017 17:13:38 +0200

On Fri, 25 Aug 2017 16:48:13 +0200
Anselm R Garbe <garbeam_AT_gmail.com> wrote:

> Hi Mattias,
>
> On 25 August 2017 at 16:32, Mattias Andrée <maandree_AT_kth.se> wrote:
> > On Fri, 25 Aug 2017 13:54:41 +0200
> > Anselm R Garbe <garbeam_AT_gmail.com> wrote:
> >
> >> On 25 August 2017 at 12:56, Laslo Hunhold <dev_AT_frign.de> wrote:
> >> > On Fri, 25 Aug 2017 08:12:12 +0200
> >> > Anselm R Garbe <garbeam_AT_gmail.com> wrote:
> >> >> - (optional) repo owners/maintainers should sign their future git tags
> >> >> for release creation by using their own private PGP key.
> >> >
> >> > the public PGP-keys could be put on the
> >> > http://suckless.org/people/*-pages.
> >>
> >> Either that, or perhaps we can reinstate the old fashion of
> >> suckless.org/~user/ homedir.
> >
> > Wouldn't it be best to have all keys in one page?
>
> Sure it would, probably best is dl.suckless.org as well.
>
> My only concern with the wiki page is, that everybody could presumably
> tamper the pubkeys there, since we accept upstream wiki changes. Of
> course they need to be reviewed, but how do I know that Laslo's pubkey
> is really Laslo's pubkey without hassle when reviewing some public
> wiki change?
>
> Hence my suggestion to put them into a URL position that requires ssh
> access for pushing onto suckless.org, which is given for
> maintainers/repo owners.
>
> BR,
> Anselm

Each user could have a directory called pgp-keys and dl.suckless.org
could list those directories. This would allow us to store old keys
in a structured manner.

An alternative is that the owner of a repo commits his key to the
repo under /.pgp-keys.

Received on Fri Aug 25 2017 - 17:13:38 CEST

This archive was generated by hypermail 2.3.0 : Fri Aug 25 2017 - 17:24:22 CEST