| 1 |
-----BEGIN PGP SIGNED MESSAGE----- |
| 2 |
Hash: SHA256 |
| 3 |
|
| 4 |
On 07/16/2015 09:25 PM, Kent Fredric wrote: |
| 5 |
> On 17 July 2015 at 13:13, NP-Hardass <NP-Hardass@g.o> |
| 6 |
> wrote: |
| 7 |
>> Additionally, I feel that a signature is a means of acknowledging |
| 8 |
>> that a package has been looked over, and that developer has |
| 9 |
>> stated that they approve of the existing state |
| 10 |
> |
| 11 |
> |
| 12 |
> That much is somewhat implied by a developer owning a commit. |
| 13 |
> Because in git, single commits span multiple files. |
| 14 |
> |
| 15 |
> There's GIT_COMMITER and GIT_AUTHOR values in every commit. |
| 16 |
> |
| 17 |
> And a "Signature" is a digital proof that Joe Bloggs didn't forge |
| 18 |
> a commit, label it "NP-Hardass" and push it on to some server |
| 19 |
> pretending to be NP-Hardass. |
| 20 |
> |
| 21 |
> It might sound like a rubber stamping, but its no more rubber |
| 22 |
> stamped than our current workflow where signature generation is |
| 23 |
> automatic and having a signed manifest doesn't in fact mean it |
| 24 |
> *has* been looked at, its only signing who touched it last. |
| 25 |
> |
| 26 |
> For NSA to break a Manifest, they'd need to update an entry and |
| 27 |
> resign it, and then we could later work out who signed what |
| 28 |
> manifests if we had any problem |
| 29 |
> |
| 30 |
|
| 31 |
Yeah, I understand that a signed manifest doesn't mean it's been |
| 32 |
looked at. My logic was that signing and keys is pretty prolific at |
| 33 |
this point, so a signed manifest implied the package has been touched |
| 34 |
(and hopefully looked at) by a dev more recently, and those that |
| 35 |
aren't signed probably haven't been touched in a longer amount of time. |
| 36 |
|
| 37 |
- -- |
| 38 |
NP-Hardass |
| 39 |
-----BEGIN PGP SIGNATURE----- |
| 40 |
Version: GnuPG v2 |
| 41 |
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ |
| 42 |
|
| 43 |
iQIcBAEBCAAGBQJVqHLQAAoJEBzZQR2yrxj7a7YQAIlHbIcNl2FVwNOGR5ERegc+ |
| 44 |
RlqmOheNx654aM02Hcd44asTuug9Zy6cJ5k/LSGJEiqupg6EaDS7jnQAfqu+k6Lg |
| 45 |
6JSPnfD0qUr5nrwNDvhUEH5LfVNHsKqCN9XyWvdy3Z0l+vKnyoWVCrINrTMEGCAf |
| 46 |
IkVnuAXXzo83YnJwtcczxbXsLfMpvnJK12Au9sa0H75y01Vqxw6gWvQeEww/fUl4 |
| 47 |
7L3WQCiGJnW5tI7vMVhDq9vpYFaB+VIQekLge3nf5sx6PfDBS4XHqwnUHD/wnj+i |
| 48 |
nqvjMDuyVfbc4NkDh9gW9Nk994VGu/iFBgepwT54khcuYnIVGVnad1Br69yLosDU |
| 49 |
5DGUff1UKCQDjl8Cv88yuCf8y7zTjema3Rg09T0XqsmBWuhacw2zqESplPdlYsNj |
| 50 |
NfDCpcpr71tCP7qhy6y05O58p/ZKQDTp66OeoCghEEiYN89jjIGqT5tdWenDXJ3a |
| 51 |
j+MewMSzampvy5LTg3T0rQvirlq9rC1EXxQ+NmqXkVw2EK64HzcjM+kVyevvYuCK |
| 52 |
2wiqEA4MAodd1LcW2gCNJ/nQ765OQjtMasEb8H/W9DryayzDLICUc3QdENXB5dMb |
| 53 |
x7bS+Ft4TbE/xXyR28MhkYXHO50qeWzlLRjueS9bSdoEPbTfe62JNBv8GvyFFxS4 |
| 54 |
aYvU5QXAjHeXSECERZdU |
| 55 |
=tWk3 |
| 56 |
-----END PGP SIGNATURE----- |
Archives