Thomas Chust wrote: > Hello, > > implementing package signatures is technically not such a big deal > (see the experimental example script here: > https://paste.call-cc.org/paste?id=b5f6d4cce329d48d64eefbe0922b64aebb16a9e5 > :-) > > But we need to decide who should be responsible for signatures and > which keys should be trusted by the package manager. The simplest > solution would probably be to have one trusted signing key and > signatures applied automatically by the package server. However, > this is not the most secure solution. > > The best guarantees for authenticity of the egg code would be given > by signatures from the original package authors, however > implementing that may require a significant infrastructural overhead > to maintain up-to-date lists of current keys and which eggs they are > allowed to sign.
Until this is resolved, is anyone aware of good ways to install eggs more securely? A couple options come to mind but they seem overkill. - Running a local egg mirror with henrietta as it looks like it can fetch over HTTPS - Downloading packages with chicken-install -retrieve (to just download instead of installing) and manually inspecting each one _______________________________________________ Chicken-users mailing list [email protected] https://lists.nongnu.org/mailman/listinfo/chicken-users
