On 16-06-18 11:46pm, Bardur Arantsson wrote: > On 06/18/2016 11:18 PM, Profpatsch wrote: > > > > The script approach is not very bad. Maybe sign it with gpg for people > > who want to verify it. > > > > Have you been following along on the thread at all? Signing the > installer script does very little[1] unless the bits it fetches are > themselves also signed (GPG style) and verified by the script. > > nothing, but what you really want is signing of everything in the trust > chain.
Hydra already signs packages. I’m not sure if that’s easily verifiable by hand, though. The script itself could contain a `gpg …` line to verify the binary blob, not sure how much sense that makes. -- Proudly written in Mutt with Vim on NixOS. Q: Why is this email five sentences or less? A: http://five.sentenc.es May take up to five days to read your message. If it’s urgent, call me. _______________________________________________ nix-dev mailing list [email protected] http://lists.science.uu.nl/mailman/listinfo/nix-dev
