Hello, On 28.03.2016 19:50, rain1@openmailbox.org wrote:
On 2016-03-23 06:38, Erich Eckner wrote:
On 21.03.2016 21:36, Dutch Ingraham wrote:
On Mon, Mar 21, 2016 at 08:31:00AM +0100, Thomas Penteker wrote:
To fill the missing link to providing integrity and confidentiality, we should start cryptographically signing ports on the maintainer's side and check these signatures before building/downloading anything.
regards, Thomas
Yes, please.[1]
[1] blog.linuxmint.com/?paged=2 (...) I would like to recommend the signify tool: http://www.openbsd.org/papers/bsdcan-signify.html
It's very high quality and simple. Could be useful for building this package signing system.
I put up a proposal/implementation documentation of my efforts to bring signed ports to CRUX using signify. It can be found at https://crux.nu/Wiki/SignedPorts which also containts the steps required to test drive the new functionality. I'd like to move quickly as things look pretty usable and stable, also please comment. best regards, Thomas