Hello Rich, There's a lot of text there, and rather than trying to parse all of that, I'll just reiterate a primary important design goal that might be overlooked:
- End to end signatures from the developer to the user. This means that no matter the operation infra does before shipping it out to the user, the user still needs to verify that the packages came from the developers. In other words, whatever complicated mechanism you propose, it needs to not rely on trusting infra to hold onto any secrets. For example, I don't know whether this is attainable with the the git signatures alone, without requiring users to sync the entire git repository, which might not be acceptable for some. Jason
