Ximin Luo:
> Signatures provide a way to for us to aggregate public trust on binaries that
> don't build themselves. So it's important to have multiple and *very direct*
> meanings of what-is-being-signed, to avoid a transitive-trust situation.
> 

I sent this in a rush; better version:

Signatures provide a way to for us to aggregate public trust on binaries that
people don't build themselves. So it's important to have multiple and *very
direct* meanings of what-is-being-signed, strongly associated to the signer,
to avoid a transitive-trust situation.

-- 
GPG: ed25519/56034877E1F87C35
GPG: rsa4096/1318EFAC5FBBDBCE
https://github.com/infinity0/pubkeys.git

_______________________________________________
Reproducible-builds mailing list
Reproducible-builds@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/reproducible-builds

Reply via email to