Ximin Luo:
> Signatures provide a way to for us to aggregate public trust on binaries that
> don't build themselves. So it's important to have multiple and *very direct*
> meanings of what-is-being-signed, to avoid a transitive-trust situation.
>
I sent this in a rush; better version:
Signatures
Jonathan McDowell:
> On Sun, Aug 21, 2016 at 04:01:00PM +, Ximin Luo wrote:
>> You have this backwards.
>>
>> "Being able to verify individually who build each of the packages I'm
>> running"
>>
>> is *exactly* what is required to *not* have to
>>
>> "attribute trust of *all* of the people who
2 matches
Mail list logo