re: git, signed commits, log verification, etc
Monotone supports a good bit of PKI within it...
http://monotone.ca/
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
On Mon, Sep 16, 2013 at 2:48 PM, zooko zo...@zooko.com wrote:
On Sun, Sep 08, 2013 at 08:28:27AM -0400, Phillip Hallam-Baker wrote:
It think we need a different approach to source code management. Get rid
of
user authentication completely, passwords and SSH are both a fragile
approach.
Jumping in to this a little late, but:
Q: Could the NSA be intercepting downloads of open-source
encryption software and silently replacing these with their own versions?
A: (Schneier) Yes, I believe so.
perhaps, but they would risk being noticed. Some people check file hashes
when
On Sun, Sep 8, 2013 at 1:42 AM, Tim Newsham tim.news...@gmail.com wrote:
Jumping in to this a little late, but:
Q: Could the NSA be intercepting downloads of open-source
encryption software and silently replacing these with their own
versions?
A: (Schneier) Yes, I believe so.
On Sat, Sep 07, 2013 at 07:42:33PM -1000, Tim Newsham wrote:
Jumping in to this a little late, but:
Q: Could the NSA be intercepting downloads of open-source
encryption software and silently replacing these with their own versions?
A: (Schneier) Yes, I believe so.
perhaps, but they
On 09/08/2013 05:28 AM, Phillip Hallam-Baker wrote:
every code update to the repository should be signed and
recorded in an append only log and the log should be public and enable any
party to audit the set of updates at any time.
This would be 'Code Transparency'.
Problem is we would need to