Re: [Chicken-users] chicken-install package integrity/signing

chicken-users

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Chicken-users] chicken-install package integrity/signing

From:	Thomas Chust
Subject:	Re: [Chicken-users] chicken-install package integrity/signing
Date:	Sun, 25 Nov 2018 12:10:47 +0100

Hello,

implementing package signatures is technically not such a big deal (see the
experimental example script here: 
https://paste.call-cc.org/paste?id=b5f6d4cce329d48d64eefbe0922b64aebb16a9e5 :-)

But we need to decide who should be responsible for signatures and which keys
should be trusted by the package manager. The simplest solution would probably
be to have one trusted signing key and signatures applied automatically by the
package server. However, this is not the most secure solution.

The best guarantees for authenticity of the egg code would be given by
signatures from the original package authors, however implementing that may
require a significant infrastructural overhead to maintain up-to-date lists of
current keys and which eggs they are allowed to sign.

Ciao,
Thomas


-- 
There are only two things wrong with C++: The initial concept and the
implementation.
-- Bertrand Meyer

pgpmmtE8Gs5Sp.pgp
Description: PGP signature

[Prev in Thread]

Current Thread

[Next in Thread]

[Chicken-users] chicken-install package integrity/signing, Jason Valencia, 2018/11/24
- Re: [Chicken-users] chicken-install package integrity/signing, Thomas Chust <=

Prev by Date: Re: [Chicken-users] openssl egg patch for default root certs
Next by Date: Re: [Chicken-users] Is Android not unix?
Previous by thread: [Chicken-users] chicken-install package integrity/signing
Next by thread: [Chicken-users] new egg: simple-timer
Index(es):
- Date
- Thread