| 1 |
Hello Rich, |
| 2 |
|
| 3 |
There's a lot of text there, and rather than trying to parse all of |
| 4 |
that, I'll just reiterate a primary important design goal that might |
| 5 |
be overlooked: |
| 6 |
|
| 7 |
- End to end signatures from the developer to the user. |
| 8 |
|
| 9 |
This means that no matter the operation infra does before shipping it |
| 10 |
out to the user, the user still needs to verify that the packages came |
| 11 |
from the developers. In other words, whatever complicated mechanism |
| 12 |
you propose, it needs to not rely on trusting infra to hold onto any |
| 13 |
secrets. For example, I don't know whether this is attainable with the |
| 14 |
the git signatures alone, without requiring users to sync the entire |
| 15 |
git repository, which might not be acceptable for some. |
| 16 |
|
| 17 |
Jason |
Archives