Re: [dev] dl.suckless.org file integrity github project

From: Nick <suckless-dev_AT_njw.me.uk>
Date: Thu, 24 Aug 2017 15:03:45 +0100

FWIW, as someone who mostly just a user of suckless stuff, I like
OpenPGP signing too. I don't have a strong opinion of git tags vs
tarballs for signing, either is good. It's nice to have a properly
secure proof of authenticity that doesn't depend on the link not
being compromised.

I'm really glad HTTPS is going to be rolled out to suckless.org
soon, thanks for that!

Personally I've gone off the web of trust model somewhat, it
somewhat depends on long-lived keys, which given the lack of PFS is
hard to manage securely. But OpenPGP signatures on software, from
developers, is great. I plan of just doxing all of the suckless devs
and knocking on their doors demanding to see their signatures. Much
better. Or maybe checking them once on a different band to where I
get the software... All depends on my mood.

Nick


Quoth Markus Teich:
> Hiltjo Posthuma wrote:
> > Checksums are available in each project directory, yesterday I've added
> > SHA256 checksums.
> >
> > For example:
> > SHA256: http://dl.suckless.org/dwm/sha256sums.txt
> > SHA1: http://dl.suckless.org/dwm/sha1sums.txt
> > MD5: http://dl.suckless.org/dwm/md5sums.txt
> >
> > HTTPs will be coming in a few weeks when some things are sorted. Maybe in the
> > future we can add also add PGP signed releases.
>
> Heyho,
>
> I don't see the benefit of checksums without signatures. We already kind of have
> transmission integrity by IP for release downloads or by git. We really need
> https, but PGP is probably controversial enough to be discussed. Maybe we have
> some time for that at the hackathon, but that would exclude people who cannot
> attend.
>
> Thus, start flaming your highly valued opinions about PGP-signing releases to
> the list nao! ;P
>
> --Markus
>
Received on Thu Aug 24 2017 - 16:03:45 CEST

This archive was generated by hypermail 2.3.0 : Thu Aug 24 2017 - 16:12:19 CEST