On Thu, Aug 24, 2017 at 12:02:35PM -0500, Joshua Haase wrote: > Laslo Hunhold <d...@frign.de> writes: > > > On Thu, 24 Aug 2017 11:02:46 +0200 > > ilf <i...@zeromail.org> wrote: > > > > As nice as PGP sounds, I think it has seen its best days already for > > general usage. I know no package manager that implements this model > > (tell if there is one). The ones I know use hashes. > > pacman uses signatures to verify it's packages and a WoT stemming from > Arch developers which you have to accept locally. > > > But it means more work with questionable benefit. It's already > > difficult enough to keep the patches on the site up-to-date and even > > (as Hiltjo discovered) to provide checksums for all packages on > > dl.suckless.org. It's easy to delegate such things on the mailing > > list, proposing them (like in your position), but not actually doing > > anything. > > It's not so many work if git is configured to always sign and/or the > package build system sign by default. >
Yes, part of this work is already done. On the hackathon is probably a good time to switch this over. I think signing should be done locally however by the repository maintainer or owner. -- Kind regards, Hiltjo