[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#47634: Accompany .asc and .DIGESTS keys for the ISO
|
From: |
Ludovic Courtès |
|
Subject: |
bug#47634: Accompany .asc and .DIGESTS keys for the ISO |
|
Date: |
Sun, 18 Apr 2021 12:40:10 +0200 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) |
Hi all,
Carlo Zancanaro <carlo@zancanaro.id.au> skribis:
> I'm not convinced there's much value to add anything beyond the
> signatures, and I think there is some cost. Having multiple
> verification options makes the download page more confusing (by
> providing more choices to do the same thing), and may make it less
> likely that people do any verification.
Agreed.
> I think there may be a larger conversation to have around using
> something like Signify rather than PGP/GPG, but I'm not familiar
> enough with Signify to have an opinion about that at the moment.
Right. OpenPGP isn’t great for software signing, but it’s widespread,
and that’s an important criterion if we are to allow users to
authenticate what they download. Tools like Signify are certainly worth
looking at, but I see it as a longer-term option.
I’m closing this issue since it’s not really actionable.
Thanks,
Ludo’.