Re: [dev] dl.suckless.org file integrity github project

From: Joshua Haase <hahj87_AT_gmail.com>
Date: Thu, 24 Aug 2017 12:02:35 -0500

Laslo Hunhold <dev_AT_frign.de> writes:

> On Thu, 24 Aug 2017 11:02:46 +0200
> ilf <ilf_AT_zeromail.org> wrote:
>
> As nice as PGP sounds, I think it has seen its best days already for
> general usage. I know no package manager that implements this model
> (tell if there is one). The ones I know use hashes.

pacman uses signatures to verify it's packages and a WoT stemming from
Arch developers which you have to accept locally.

> But it means more work with questionable benefit. It's already
> difficult enough to keep the patches on the site up-to-date and even
> (as Hiltjo discovered) to provide checksums for all packages on
> dl.suckless.org. It's easy to delegate such things on the mailing
> list, proposing them (like in your position), but not actually doing
> anything.

It's not so many work if git is configured to always sign and/or the
package build system sign by default.
Received on Thu Aug 24 2017 - 19:02:35 CEST

This archive was generated by hypermail 2.3.0 : Thu Aug 24 2017 - 19:12:22 CEST