I want to stronly advocate for OpenPGP signatures of releases.
HTTPS is good, and it's the new default:
https://www.eff.org/deeplinks/2017/02/were-halfway-encrypting-entire-web
The hierarchical trust model of X.509 make it suitable for many things,
but for signing code that we build and run on our machines, I would like
to use the strongest available trust model.
The OpenPGP "web of trust" might be a little clumsy to use for some
people and others might not have a trust path to the signing key(s). But
when you have verified the signing key, it's the strongest
cryptographically verified trust method out there. I'm sure many people
here can use it correctly, and surely it's now suckless' fault, if
people use it wrong.
Providing an OpenPGP signature does not hurt anyone and does not force
anyone to use it.
If people trust code from git, http or https - nice for them.
If people trust checksums - nice for them.
If people want to verify code authenticity and integrity via OpenPGP -
please let them!
Thanks, and keep up the good work!
Mattias Andrée:
> * The number of people that actually know the developers of a individual
> package is negligible, so there isn't actually anyone that the users can
> trust.
--
ilf
Über 80 Millionen Deutsche benutzen keine Konsole. Klick dich nicht weg!
-- Eine Initiative des Bundesamtes für Tastaturbenutzung
Received on Thu Aug 24 2017 - 11:02:46 CEST