Hi, Skyler Ferris <skyv...@protonmail.com> skribis:
> In short, I'm not sure that we actually get any value from checking the > PGP signature for most projects. Either HTTPS is good enough or the > attacker won. 99% of the time HTTPS is good enough (though it is notable > that the remaining 1% has a disproportionate impact on the affected > population). When checking PGP signatures, you end up with a trust-on-first-use model: the first time, you download a PGP key that you know nothing about and you authenticate code against that, which gives no information. On subsequent releases though, you can ensure (ideally) that releases still originates from the same party. HTTPS has nothing to do with that: it just proves that the web server holds a valid certificate for its domain name. But really, the gold standard, if I dare forego any form of modesty, is the ‘.guix-authorizations’ model as it takes care of key distribution as well as authorization delegation and revocation. https://doi.org/10.22152/programming-journal.org/2023/7/1 Ludo’.
