Laslo Hunhold <d...@frign.de> writes: > On Thu, 24 Aug 2017 11:02:46 +0200 > ilf <i...@zeromail.org> wrote: > > As nice as PGP sounds, I think it has seen its best days already for > general usage. I know no package manager that implements this model > (tell if there is one). The ones I know use hashes.
pacman uses signatures to verify it's packages and a WoT stemming from Arch developers which you have to accept locally. > But it means more work with questionable benefit. It's already > difficult enough to keep the patches on the site up-to-date and even > (as Hiltjo discovered) to provide checksums for all packages on > dl.suckless.org. It's easy to delegate such things on the mailing > list, proposing them (like in your position), but not actually doing > anything. It's not so many work if git is configured to always sign and/or the package build system sign by default.
