Hello, implementing package signatures is technically not such a big deal (see the experimental example script here: https://paste.call-cc.org/paste?id=b5f6d4cce329d48d64eefbe0922b64aebb16a9e5 :-)
But we need to decide who should be responsible for signatures and which keys should be trusted by the package manager. The simplest solution would probably be to have one trusted signing key and signatures applied automatically by the package server. However, this is not the most secure solution. The best guarantees for authenticity of the egg code would be given by signatures from the original package authors, however implementing that may require a significant infrastructural overhead to maintain up-to-date lists of current keys and which eggs they are allowed to sign. Ciao, Thomas -- There are only two things wrong with C++: The initial concept and the implementation. -- Bertrand Meyer
pgptNwZxw9kKf.pgp
Description: PGP signature
_______________________________________________ Chicken-users mailing list [email protected] https://lists.nongnu.org/mailman/listinfo/chicken-users
