I want to stronly advocate for OpenPGP signatures of releases.
HTTPS is good, and it's the new default: https://www.eff.org/deeplinks/2017/02/were-halfway-encrypting-entire-web The hierarchical trust model of X.509 make it suitable for many things, but for signing code that we build and run on our machines, I would like to use the strongest available trust model.
The OpenPGP "web of trust" might be a little clumsy to use for some people and others might not have a trust path to the signing key(s). But when you have verified the signing key, it's the strongest cryptographically verified trust method out there. I'm sure many people here can use it correctly, and surely it's now suckless' fault, if people use it wrong.
Providing an OpenPGP signature does not hurt anyone and does not force anyone to use it.
If people trust code from git, http or https - nice for them. If people trust checksums - nice for them.If people want to verify code authenticity and integrity via OpenPGP - please let them!
Thanks, and keep up the good work! Mattias Andrée:
* The number of people that actually know the developers of a individual package is negligible, so there isn't actually anyone that the users can trust.
--
ilf
Über 80 Millionen Deutsche benutzen keine Konsole. Klick dich nicht weg!
-- Eine Initiative des Bundesamtes für Tastaturbenutzung
signature.asc
Description: PGP signature
