Le 07/10/2016 à 09:41, Brian Candler a écrit : > > I can't see any way in which adding plugin signatures to pass itself > is helpful. How are you going to choose which signatures to trust? > Either pass is hard-coded with a list of trusted plugin authors, or > you have to add the author keys too. In which case this is no better > than either of the previous options.
My message was to introduce signing for trust. It happens effectively somewhat in .deb packages (it could be other examples of course). Web of trust, is a way to delegate trust to other people in whom you trust, as far as I know. It was introduced long time ago in GPG, for example. You need to meet the person physically to fully trust his/her key. So by following the links of trusted signatures you may, or may not, arrive to trust a plugin using your own keyring. I don't know if it is needed here for pass, but the subject has been mentioned earlier in the link I posted. May be not on that form, but as more and more really good plugin arrive it could be interesting to think about that. The custom subcommands is really pleasing concept, and I was thinking loud how, and if, it needs to be achieved by signing custom scripts. I'm also interested of how a "community trust" of signed keys could behave, as it's also developed in free money software <https://en.duniter.org/>. Regards, Sylvain. -- Sylvain Viart - DevOps système linux - freelance developer
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Password-Store mailing list [email protected] http://lists.zx2c4.com/mailman/listinfo/password-store
