Re: [dev] file integrity github project

From: Joshua Haase <>
Date: Thu, 24 Aug 2017 12:02:35 -0500

Laslo Hunhold <> writes:

> On Thu, 24 Aug 2017 11:02:46 +0200
> ilf <> wrote:
> As nice as PGP sounds, I think it has seen its best days already for
> general usage. I know no package manager that implements this model
> (tell if there is one). The ones I know use hashes.

pacman uses signatures to verify it's packages and a WoT stemming from
Arch developers which you have to accept locally.

> But it means more work with questionable benefit. It's already
> difficult enough to keep the patches on the site up-to-date and even
> (as Hiltjo discovered) to provide checksums for all packages on
> It's easy to delegate such things on the mailing
> list, proposing them (like in your position), but not actually doing
> anything.

It's not so many work if git is configured to always sign and/or the
package build system sign by default.
Received on Thu Aug 24 2017 - 19:02:35 CEST

This archive was generated by hypermail 2.3.0 : Thu Aug 24 2017 - 19:12:22 CEST