uhm, this is very much into dreamland right now (since the first step, of signing integration isn't done yet)...
On 30/03/2016 13:03, Anil Madhavapeddy wrote: > That actually sounds like the perfect workflow for signing... if there was > some way to sign it (perhaps keybase.io via JavaScript) without a CLI, it > would be much more widely adopted. does this propose that you want people to store their private keys online on the internet (certainly password-protected)? I'm uneasy with that (and would prefer to store the private keys on the people's laptops, rather than online). >> On 30 Mar 2016, at 12:02, Louis Gesbert <louis.gesb...@ocamlpro.com> wrote: >> More simply, the mechanism could do all the work, and poll the package >> maintainer for a signature (assuming he wouldn't sign without actually >> checking ?) . Something like a mail with instructions and archive + >> cryptohash >> to verify, then a command to run and it's done. this sounds good to me, a mail where the developer has to invoke some command-line utility locally to generate a signature, and resubmit this via mail (well, or git as a first step). hannes
signature.asc
Description: OpenPGP digital signature
_______________________________________________ opam-devel mailing list opam-devel@lists.ocaml.org http://lists.ocaml.org/listinfo/opam-devel
