Hi all, Carlo Zancanaro <[email protected]> skribis:
> I'm not convinced there's much value to add anything beyond the > signatures, and I think there is some cost. Having multiple > verification options makes the download page more confusing (by > providing more choices to do the same thing), and may make it less > likely that people do any verification. Agreed. > I think there may be a larger conversation to have around using > something like Signify rather than PGP/GPG, but I'm not familiar > enough with Signify to have an opinion about that at the moment. Right. OpenPGP isn’t great for software signing, but it’s widespread, and that’s an important criterion if we are to allow users to authenticate what they download. Tools like Signify are certainly worth looking at, but I see it as a longer-term option. I’m closing this issue since it’s not really actionable. Thanks, Ludo’.
