Re: [dev] file integrity github project

From: Laslo Hunhold <>
Date: Thu, 24 Aug 2017 13:22:33 +0200

On Thu, 24 Aug 2017 11:02:46 +0200
ilf <> wrote:

Dear ilf,

> HTTPS is good, and it's the new default:
> The hierarchical trust model of X.509 make it suitable for many
> things, but for signing code that we build and run on our machines, I
> would like to use the strongest available trust model.

given we don't PGP-sign our commits and suckless-projects are hosted on
the suckless server, going full overboard with PGP on the release-area
is overkill.
I won't support the PGP snake-oil movement just so you can sleep well
at night. If you want to go with maximum trust, you can compare the
tarball-contents with the status of the git-repo at a certain tag.

> The OpenPGP "web of trust" might be a little clumsy to use for some
> people and others might not have a trust path to the signing key(s).
> But when you have verified the signing key, it's the strongest
> cryptographically verified trust method out there. I'm sure many
> people here can use it correctly, and surely it's now suckless'
> fault, if people use it wrong.

As nice as PGP sounds, I think it has seen its best days already for
general usage. I know no package manager that implements this model
(tell if there is one). The ones I know use hashes.

If you trust us suckless developers, you trust our server as well.
There is chance your connection is MITM'd, but we will counteract with
HTTPS. There's simply no reason to go further, given the entire
development model is not based on this kind of authentification model.

> Providing an OpenPGP signature does not hurt anyone and does not
> force anyone to use it.

But it means more work with questionable benefit. It's already
difficult enough to keep the patches on the site up-to-date and even
(as Hiltjo discovered) to provide checksums for all packages on It's easy to delegate such things on the mailing
list, proposing them (like in your position), but not actually doing
Those doing the work are the ones that should be asked.

> If people trust code from git, http or https - nice for them.
> If people trust checksums - nice for them.
> If people want to verify code authenticity and integrity via OpenPGP
> - please let them!

How many people even do that? I guess the number is so low, it would
take less time to hand-pack a tarball for each after a personal request
per mail, provided of course they trust me.

With best regards


Laslo Hunhold <>
Received on Thu Aug 24 2017 - 13:22:33 CEST

This archive was generated by hypermail 2.3.0 : Thu Aug 24 2017 - 13:24:44 CEST