Hongli Lai <[email protected]> wrote: > On Mon, Mar 11, 2013 at 11:48 PM, Eric Wong <[email protected]> wrote: > > Can we designate gems be signed by a trusted third party (e.g. you?) > > That's how Debian (and presumably other OS distros work). > > > > _Nobody_ should trust me. I have and maintain zero credibility. > > The only credibility any unicorn has is what its users give it. > > Well the kind of trust we're talking about here is not trustworthiness > (i.e. "does the software work well and will it refrain from formatting > my harddisk?"), but authenticity ("is this gem made by the Unicorn and > not someone pretending to be him?"). Given that definition of "trust", > having a third party sign the gem is not very useful, and letting you > sign the gem will not make it a statement about trustworthiness, > warranty or credibility. > > What do you think?
The only thing that matters in the end is whether the code is good or not. I have the same likelyhood of having my GPG key compromised as I do of writing broken code that breaks things horribly: a very likely one. I make my commits public and and send patches to mailing lists to encourage others to verify what I'm doing isn't horribly broken. I never tell anybody to accept patches/code based on who wrote it; same goes for gems/tarballs. So yes, gems/tarballs should have the same level of scrutiny as every commit. If somebody else assumed my identity, but continued doing things in the way I've done in the past; unicorn users would not (nor should they) notice the difference. That may've already happened :) _______________________________________________ Unicorn mailing list - [email protected] http://rubyforge.org/mailman/listinfo/mongrel-unicorn Do not quote signatures (like this one) or top post when replying
