-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 07/17/2015 03:13 AM, NP-Hardass wrote:
> Additionally, I feel that a signature is a means of acknowledging > that a package has been looked over, and that developer has stated > that they approve of the existing state. I'm not sure if others > agree with that sentiment, I appreciate that you bring up this point. I would expect that part of that state is for the developer to verify the source distfile from upstream using OpenPGP / GnuPG as well, i.e not just rely on TOFU (trust on first use). This also means keeping a (locally) certified copy of the upstream distribution key that is reasonably verified by the developer. - -- Kristian Fiskerstrand Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 -----BEGIN PGP SIGNATURE----- iQEcBAEBCgAGBQJVqLpCAAoJECULev7WN52FtmYH/3ySS/fM62KcRyxHrfDswNzA sL0lj43JxWAwCcPI46X8ag7nUBYwuo/x9E6IDQotAe1MoiV3vPGLIDugrCHIE0Ai AxVKhPwCXFDxtNwSKDIxiaupssLSt9uLB5rCMP+eJoFl3wiQb7rI4ly/qXE2DI6O U6sLABiq/7nmRSsCzakyNionknSU60HLo3V1o8/KdoyBfaup9FsHdFYMZmbn+w0T 0Rv2FJV6z0BsjmaOJQ4qCrOqtcNLnrUaXGdRm153LfAWoWiBMhM/mlOsDk73j4zw NtMSJpKbfIHsNrF8d9c6xrni5zlmaEjGoeQKSVJILEwO4ROnUKh2M1LwOiTkhzo= =bVWz -----END PGP SIGNATURE-----
