It's also here :) ----8<-- untrusted comment: LibreSSL Portable public key RWQg/nutTVqCUVUw8OhyHt9n51IC8mdQRd1b93dOyVrwtIXmMI+dtGFe
On Mon, Jul 14, 2014 at 8:52 PM, Bob Beck <b...@obtuse.com> wrote: > > Once we are back in North America where we can do it (the master signature > box is airgapped) in case you're ultra paranoid the libressl public key > will be signed with an OpenBSD release key, which you can buy on CD if you > really want. and validate > it that way. > > Having said that, nothing wrong with having it in github - I've just put > it there in the top of the portable repository. It's also all over twitter > if you're on there and like to cross check from multiple sources. > > > On Mon, Jul 14, 2014 at 7:14 PM, Ralph Giles <notificati...@github.com> > wrote: > >> Well, we need some way to pass release trust from your upstream to >> downstream users. Are you saying you don't trust gpg's signature >> implementation? Why is that different from auditing the GNU autotools? >> >> - >> >> Produce a portable version of signify for packaging on other systems. >> It seems like a nice tool, especially the built-in checksum support. >> - >> >> Patch signify to produce OpenPGP signature blocks. >> - >> >> Someone who trusts both signify and and an OpenPGP implementation >> re-signs the checksums. >> >> It would also help to mirror the releases and/or checksum files here on >> github so people can cross-verify with however much additional value they >> want to put in the github https cert, and push signed git tags per issue >> #3 <https://github.com/libressl-portable/portable/issues/3>. >> >> — >> Reply to this email directly or view it on GitHub >> <https://github.com/libressl-portable/portable/issues/12#issuecomment-48979965> >> . >> > >
