On Thu, Aug 24, 2017 at 11:02:46AM +0200, ilf wrote: > I want to stronly advocate for OpenPGP signatures of releases. > > HTTPS is good, and it's the new default: > https://www.eff.org/deeplinks/2017/02/were-halfway-encrypting-entire-web > The hierarchical trust model of X.509 make it suitable for many things, but > for signing code that we build and run on our machines, I would like to use > the strongest available trust model. > > The OpenPGP "web of trust" might be a little clumsy to use for some people > and others might not have a trust path to the signing key(s). But when you > have verified the signing key, it's the strongest cryptographically verified > trust method out there. I'm sure many people here can use it correctly, and > surely it's now suckless' fault, if people use it wrong. >
*not :) > Providing an OpenPGP signature does not hurt anyone and does not force > anyone to use it. > > If people trust code from git, http or https - nice for them. > If people trust checksums - nice for them. > If people want to verify code authenticity and integrity via OpenPGP - > please let them! > > Thanks, and keep up the good work! > > Mattias Andrée: > > * The number of people that actually know the developers of a individual > > package is negligible, so there isn't actually anyone that the users can > > trust. > I fully agree. We can use the technology since it's good "policy" anyway until the trust web expands. If we don't use it then it's assured it won't/can't be used. The first start is exchanging PGP keys when developers meet or can exchange keys securely. -- Kind regards, Hiltjo
signature.asc
Description: PGP signature
