-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA384 On 01/18/2015 21:11, Anil Madhavapeddy wrote: > This is certainly something that needs to go on the roadmap sooner > rather than later, and issue #423 is still the place to record your > opinions. > > Having a signify-like model to let an OPAM mirroring script sign > distfiles would be a good first step, since the complexities of > managing a per-contributor signing infrastructure would be quite > significantly more work.
Just as a short news-item - haskell debian build host got compromised yesterday - https://news.ycombinator.com/item?id=9054795 I do think we need to keep the build hosts/repository hosts outside of the trust chain, and push signing all the way up to the authors (or rather maintainers). > Note that the OPAM remote is HTTPS by default since OPAM 1.1. That sounds great - where are the trust anchors taken from? Systemwide (if so, from where/how/why)? Once the dust clears up here, I plan to work on implementing tuf (instead of signify/PGP, it seems like I'm biased towards TLS/X.509 these days to be able to use in-house tools). Hannes -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCQAGBQJU4dI+AAoJELyJZYjffCjuGZMP/11wi9xt1g944EltKpMsusLG JRELq49Pde6ziAmw8Oo/rGAxY2N7nGWZg/1gC6izCFw8K0UV+g+6h51noNxJgdUY 4AvsZC7uhlvIhVOz1YbTgnJrPk0YMnG7mV+vY3IVwMaQ2iLczfMmUsJ55bVrFmwb BavB0rfBVDA7ZsoAtgnHuYBAQ6Sab/IKk1EaG12icA0UrVUHkJ98QZ7o47AJD2yh bSQItmV55tnzU1wUQtWCyXxz7B4FDdSPeazZyH+LRpeOHKx0OCqG4sChkV1bV5zQ 9EGheF0GTY0LH77YPnuzVgiSIFgt/9ZQzBsKP/Bt81k0ueFdLAbm3KEQqcljIWyA Bls4/hybb+9M4+n5ejptC8LNoUIiBrmsE8o0CEIMLYABTe9o4iaa7bAeloMtibBW SD7Xc4JOODIgwk53G3qW5ZIF9fslz4l8BWNSt9OfNLHaWXuNiyL18QM6j0K4ot/Z cOzSoy1IEU6tVNzslz2BMyoPTO2znzcRg4qdjiZcU93CWQyOldDBpRe1ANwXj51Q /6PX4LIMOVUv0ZQx10IcOazyZ4S8IvihWZZuPghmscPb8ALnuLRrPzA3lCQQtRAR 997RtqpzCsDiWZo4/OeGEpFTWKzILqHCJqpSJtvJ9eV4PBv7bprT8OOQI1nEA/MU ZuEwkTbocNlW4L2KXC0Q =8a5A -----END PGP SIGNATURE----- _______________________________________________ Platform mailing list [email protected] http://lists.ocaml.org/listinfo/platform
