[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Chicken-users] chicken-install package integrity/signing

From: Thomas Chust
Subject: Re: [Chicken-users] chicken-install package integrity/signing
Date: Sun, 25 Nov 2018 12:10:47 +0100


implementing package signatures is technically not such a big deal (see the
experimental example script here: :-)

But we need to decide who should be responsible for signatures and which keys
should be trusted by the package manager. The simplest solution would probably
be to have one trusted signing key and signatures applied automatically by the
package server. However, this is not the most secure solution.

The best guarantees for authenticity of the egg code would be given by
signatures from the original package authors, however implementing that may
require a significant infrastructural overhead to maintain up-to-date lists of
current keys and which eggs they are allowed to sign.


There are only two things wrong with C++: The initial concept and the
-- Bertrand Meyer

Attachment: pgpmmtE8Gs5Sp.pgp
Description: PGP signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]