Re: [dev] dl.suckless.org file integrity github project

From: Aaron Toponce <aaron.toponce_AT_gmail.com>
Date: Thu, 24 Aug 2017 10:48:59 -0600

On Thu, Aug 24, 2017 at 01:22:33PM +0200, Laslo Hunhold wrote:
> I won't support the PGP snake-oil movement just so you can sleep well
> at night. If you want to go with maximum trust, you can compare the
> tarball-contents with the status of the git-repo at a certain tag.

I'll continue to push checksums and PGP signatures to that respository. As an
independent 3rd party who is not involved with any of the suckless projects, I
can provide an neutral position on improving the integrity and security of the
project, even if some find it too cumbersome to use, or aren't interested.

> As nice as PGP sounds, I think it has seen its best days already for
> general usage. I know no package manager that implements this model
> (tell if there is one). The ones I know use hashes.

All Fedora-based distributions (RHEL, CentoOS, Scientific, etc) use GPG-signed
packages, and the package manager checks them by default. All Debian-based
distrubitions (Debian, Ubuntu, Linux Mint, etc.) also use GPG-signed packages,
and the package manager also checks them by default. Arch, Slackware, Gentoo,
etc., etc., etc. It's more popular that the GNU/Linux distributions use
GPG-signed software packages than not.

> But it means more work with questionable benefit. It's already
> difficult enough to keep the patches on the site up-to-date and even
> (as Hiltjo discovered) to provide checksums for all packages on
> dl.suckless.org. It's easy to delegate such things on the mailing
> list, proposing them (like in your position), but not actually doing
> anything.
> Those doing the work are the ones that should be asked.

The process can be automated by taking advantage of the GPG Agent. Some package
building software will do this by default for you, by just supplying your GPG
key. Of course, just building compressed tarballs, you would need to script it,
but it's hardly challenging.

-- 
. o .   o . o   . . o   o . .   . o .
. . o   . o o   o . o   . o o   . . o
o o o   . o .   . o o   o o .   o o o

Received on Thu Aug 24 2017 - 18:48:59 CEST

This archive was generated by hypermail 2.3.0 : Thu Aug 24 2017 - 19:00:25 CEST