On 02/04/2014 01:11 PM, Daniel Cegiełka wrote:
2014-02-04 Marc Espie <[email protected]>:
signify(1) makes things more transparent: no chain of trust, pure keys.
One cool thing is that the signatures are small enough that they can be
embedded directly in the package (which already has sha256 for
everything).
This has the advantage of decentralization: package snapshots can be
partially
synchronized, and still each package carries its own signature. Less
margin
for strange errors -> stuff that works most of the time -> more
trustworthy.
wow!? really? And how can I be sure that the public key that I
downloaded is exactly the same public key, which is stored on OpenBSD
servers (MITM)?
You can't. But at least that's transparent, rather than obfuscated
somewhere down a chain of trust.
--
Matthew Weigel
hacker
unique & idempot . ent
