Martin Schrvder wrote:
2008/12/17 Marc Espie <es...@nerim.net>:
We think it's worse to sign packages than not to sign them if you don't have
a fairly strict process that ensures you have a correct chain of trust.
Agreed. PGP provides that, but I can understand that nobody wants GnuPG
in base. :-{
the next best option i can think of is to have the hashes (sha256 and/or
others) fetched via ssh from a trusted site, e.g. your nearest anoncvs
server. it avoids the gnupg requirement but is still susceptible to mitm
on key fingerprints, etc. if you can't trust your local anoncvs server,
you've got a problem that may be too big to fix anyhow.
note that this may not work so well and i'm only making this suggestion
in hopes it could allow for a solution that, afaict, requires less work
and maintenance than a full PKI solution.
cheers,
jake
Best
Martin
