| 1 |
-----BEGIN PGP SIGNED MESSAGE----- |
| 2 |
Hash: SHA512 |
| 3 |
|
| 4 |
On 07/17/2015 03:13 AM, NP-Hardass wrote: |
| 5 |
|
| 6 |
> Additionally, I feel that a signature is a means of acknowledging |
| 7 |
> that a package has been looked over, and that developer has stated |
| 8 |
> that they approve of the existing state. I'm not sure if others |
| 9 |
> agree with that sentiment, |
| 10 |
|
| 11 |
I appreciate that you bring up this point. I would expect that part of |
| 12 |
that state is for the developer to verify the source distfile from |
| 13 |
upstream using OpenPGP / GnuPG as well, i.e not just rely on TOFU |
| 14 |
(trust on first use). This also means keeping a (locally) certified |
| 15 |
copy of the upstream distribution key that is reasonably verified by |
| 16 |
the developer. |
| 17 |
|
| 18 |
- -- |
| 19 |
Kristian Fiskerstrand |
| 20 |
Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net |
| 21 |
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 |
| 22 |
-----BEGIN PGP SIGNATURE----- |
| 23 |
|
| 24 |
iQEcBAEBCgAGBQJVqLpCAAoJECULev7WN52FtmYH/3ySS/fM62KcRyxHrfDswNzA |
| 25 |
sL0lj43JxWAwCcPI46X8ag7nUBYwuo/x9E6IDQotAe1MoiV3vPGLIDugrCHIE0Ai |
| 26 |
AxVKhPwCXFDxtNwSKDIxiaupssLSt9uLB5rCMP+eJoFl3wiQb7rI4ly/qXE2DI6O |
| 27 |
U6sLABiq/7nmRSsCzakyNionknSU60HLo3V1o8/KdoyBfaup9FsHdFYMZmbn+w0T |
| 28 |
0Rv2FJV6z0BsjmaOJQ4qCrOqtcNLnrUaXGdRm153LfAWoWiBMhM/mlOsDk73j4zw |
| 29 |
NtMSJpKbfIHsNrF8d9c6xrni5zlmaEjGoeQKSVJILEwO4ROnUKh2M1LwOiTkhzo= |
| 30 |
=bVWz |
| 31 |
-----END PGP SIGNATURE----- |
Archives