2014-02-04 Marc Espie <[email protected]>: > signify(1) makes things more transparent: no chain of trust, pure keys. > > One cool thing is that the signatures are small enough that they can be > embedded directly in the package (which already has sha256 for everything). > > This has the advantage of decentralization: package snapshots can be partially > synchronized, and still each package carries its own signature. Less margin > for strange errors -> stuff that works most of the time -> more trustworthy.
wow!? really? And how can I be sure that the public key that I downloaded is exactly the same public key, which is stored on OpenBSD servers (MITM)? signify is a step in the right direction but does not fix anything. We need trusted key distribution (or verification) for signify - without it we will being stuck on the same shit (but successfully verified). best regards, Daniel
