1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA512 |
3 |
|
4 |
On 07/17/2015 03:13 AM, NP-Hardass wrote: |
5 |
|
6 |
> Additionally, I feel that a signature is a means of acknowledging |
7 |
> that a package has been looked over, and that developer has stated |
8 |
> that they approve of the existing state. I'm not sure if others |
9 |
> agree with that sentiment, |
10 |
|
11 |
I appreciate that you bring up this point. I would expect that part of |
12 |
that state is for the developer to verify the source distfile from |
13 |
upstream using OpenPGP / GnuPG as well, i.e not just rely on TOFU |
14 |
(trust on first use). This also means keeping a (locally) certified |
15 |
copy of the upstream distribution key that is reasonably verified by |
16 |
the developer. |
17 |
|
18 |
- -- |
19 |
Kristian Fiskerstrand |
20 |
Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net |
21 |
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 |
22 |
-----BEGIN PGP SIGNATURE----- |
23 |
|
24 |
iQEcBAEBCgAGBQJVqLpCAAoJECULev7WN52FtmYH/3ySS/fM62KcRyxHrfDswNzA |
25 |
sL0lj43JxWAwCcPI46X8ag7nUBYwuo/x9E6IDQotAe1MoiV3vPGLIDugrCHIE0Ai |
26 |
AxVKhPwCXFDxtNwSKDIxiaupssLSt9uLB5rCMP+eJoFl3wiQb7rI4ly/qXE2DI6O |
27 |
U6sLABiq/7nmRSsCzakyNionknSU60HLo3V1o8/KdoyBfaup9FsHdFYMZmbn+w0T |
28 |
0Rv2FJV6z0BsjmaOJQ4qCrOqtcNLnrUaXGdRm153LfAWoWiBMhM/mlOsDk73j4zw |
29 |
NtMSJpKbfIHsNrF8d9c6xrni5zlmaEjGoeQKSVJILEwO4ROnUKh2M1LwOiTkhzo= |
30 |
=bVWz |
31 |
-----END PGP SIGNATURE----- |