[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Signed archives (preliminary patch)
|
From: |
Nikita Karetnikov |
|
Subject: |
Re: Signed archives (preliminary patch) |
|
Date: |
Fri, 28 Feb 2014 22:46:44 +0400 |
> How do you envision the transition from this single-signature
> architecture to one where other users and/or independent build farms
> can add their signatures to hydra? Will those signatures be treated
> differently than the signatures created by hydra.gnu.org? Will they
> be stored and sent to users using a different mechanism?
Let’s not get ahead of ourselves. The “single signature” solution is
far from being perfect, but it’s way better than nothing. I suspect
that the “web of trust” thing would require a lot of effort. So I
propose to postpone that until we implement the former since a bird in
the hand is worth two in the bush. Even though that bird would be an
obvious target for an attacker.
c
pgp6bcaYhHZgu.pgp
Description: PGP signature
- Re: Signed archives, Nikita Karetnikov, 2014/02/03
- Re: Signed archives, Ludovic Courtès, 2014/02/04
- Re: Signed archives, Nikita Karetnikov, 2014/02/20
- Re: Signed archives, Ludovic Courtès, 2014/02/21
- Re: Signed archives (preliminary patch), Nikita Karetnikov, 2014/02/27
- Re: Signed archives (preliminary patch), Ludovic Courtès, 2014/02/27
- Re: Signed archives (preliminary patch), Mark H Weaver, 2014/02/28
- Re: Signed archives (preliminary patch), Ludovic Courtès, 2014/02/28
- Re: Signed archives (preliminary patch),
Nikita Karetnikov <=
- Re: Signed archives (preliminary patch), Nikita Karetnikov, 2014/02/28
- Re: Signed archives (preliminary patch), Ludovic Courtès, 2014/02/28
- Applying the GPG web-of-trust to Guix (was Re: Signed archives), Mark H Weaver, 2014/02/21
- Re: Applying the GPG web-of-trust to Guix (was Re: Signed archives), Ludovic Courtès, 2014/02/21