Re: [dev] file integrity github project

From: Hiltjo Posthuma <>
Date: Thu, 24 Aug 2017 13:27:05 +0200

On Thu, Aug 24, 2017 at 11:02:46AM +0200, ilf wrote:
> I want to stronly advocate for OpenPGP signatures of releases.
> HTTPS is good, and it's the new default:
> The hierarchical trust model of X.509 make it suitable for many things, but
> for signing code that we build and run on our machines, I would like to use
> the strongest available trust model.
> The OpenPGP "web of trust" might be a little clumsy to use for some people
> and others might not have a trust path to the signing key(s). But when you
> have verified the signing key, it's the strongest cryptographically verified
> trust method out there. I'm sure many people here can use it correctly, and
> surely it's now suckless' fault, if people use it wrong.

*not :)

> Providing an OpenPGP signature does not hurt anyone and does not force
> anyone to use it.
> If people trust code from git, http or https - nice for them.
> If people trust checksums - nice for them.
> If people want to verify code authenticity and integrity via OpenPGP -
> please let them!
> Thanks, and keep up the good work!
> Mattias Andrée:
> > * The number of people that actually know the developers of a individual
> > package is negligible, so there isn't actually anyone that the users can
> > trust.

I fully agree. We can use the technology since it's good "policy" anyway until
the trust web expands. If we don't use it then it's assured it won't/can't be
The first start is exchanging PGP keys when developers meet or can exchange
keys securely.

Kind regards,

Received on Thu Aug 24 2017 - 13:27:05 CEST

This archive was generated by hypermail 2.3.0 : Thu Aug 24 2017 - 13:36:19 CEST