1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA256 |
3 |
|
4 |
On 07/16/2015 09:25 PM, Kent Fredric wrote: |
5 |
> On 17 July 2015 at 13:13, NP-Hardass <NP-Hardass@g.o> |
6 |
> wrote: |
7 |
>> Additionally, I feel that a signature is a means of acknowledging |
8 |
>> that a package has been looked over, and that developer has |
9 |
>> stated that they approve of the existing state |
10 |
> |
11 |
> |
12 |
> That much is somewhat implied by a developer owning a commit. |
13 |
> Because in git, single commits span multiple files. |
14 |
> |
15 |
> There's GIT_COMMITER and GIT_AUTHOR values in every commit. |
16 |
> |
17 |
> And a "Signature" is a digital proof that Joe Bloggs didn't forge |
18 |
> a commit, label it "NP-Hardass" and push it on to some server |
19 |
> pretending to be NP-Hardass. |
20 |
> |
21 |
> It might sound like a rubber stamping, but its no more rubber |
22 |
> stamped than our current workflow where signature generation is |
23 |
> automatic and having a signed manifest doesn't in fact mean it |
24 |
> *has* been looked at, its only signing who touched it last. |
25 |
> |
26 |
> For NSA to break a Manifest, they'd need to update an entry and |
27 |
> resign it, and then we could later work out who signed what |
28 |
> manifests if we had any problem |
29 |
> |
30 |
|
31 |
Yeah, I understand that a signed manifest doesn't mean it's been |
32 |
looked at. My logic was that signing and keys is pretty prolific at |
33 |
this point, so a signed manifest implied the package has been touched |
34 |
(and hopefully looked at) by a dev more recently, and those that |
35 |
aren't signed probably haven't been touched in a longer amount of time. |
36 |
|
37 |
- -- |
38 |
NP-Hardass |
39 |
-----BEGIN PGP SIGNATURE----- |
40 |
Version: GnuPG v2 |
41 |
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ |
42 |
|
43 |
iQIcBAEBCAAGBQJVqHLQAAoJEBzZQR2yrxj7a7YQAIlHbIcNl2FVwNOGR5ERegc+ |
44 |
RlqmOheNx654aM02Hcd44asTuug9Zy6cJ5k/LSGJEiqupg6EaDS7jnQAfqu+k6Lg |
45 |
6JSPnfD0qUr5nrwNDvhUEH5LfVNHsKqCN9XyWvdy3Z0l+vKnyoWVCrINrTMEGCAf |
46 |
IkVnuAXXzo83YnJwtcczxbXsLfMpvnJK12Au9sa0H75y01Vqxw6gWvQeEww/fUl4 |
47 |
7L3WQCiGJnW5tI7vMVhDq9vpYFaB+VIQekLge3nf5sx6PfDBS4XHqwnUHD/wnj+i |
48 |
nqvjMDuyVfbc4NkDh9gW9Nk994VGu/iFBgepwT54khcuYnIVGVnad1Br69yLosDU |
49 |
5DGUff1UKCQDjl8Cv88yuCf8y7zTjema3Rg09T0XqsmBWuhacw2zqESplPdlYsNj |
50 |
NfDCpcpr71tCP7qhy6y05O58p/ZKQDTp66OeoCghEEiYN89jjIGqT5tdWenDXJ3a |
51 |
j+MewMSzampvy5LTg3T0rQvirlq9rC1EXxQ+NmqXkVw2EK64HzcjM+kVyevvYuCK |
52 |
2wiqEA4MAodd1LcW2gCNJ/nQ765OQjtMasEb8H/W9DryayzDLICUc3QdENXB5dMb |
53 |
x7bS+Ft4TbE/xXyR28MhkYXHO50qeWzlLRjueS9bSdoEPbTfe62JNBv8GvyFFxS4 |
54 |
aYvU5QXAjHeXSECERZdU |
55 |
=tWk3 |
56 |
-----END PGP SIGNATURE----- |