Re: gpg signatures for release tarballs?

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: Re: gpg signatures for release tarballs?
From: "Joseph C. Sible" <josephcsible@...>
Date: Fri, 28 Jan 2022 21:53:33 -0500

How would you know what the public key is? If you were to get it from
the website, then isn't trusting that equivalent to trusting the
checksums?

One thing I do think would be a good idea, though, is to publish a
non-broken hash (e.g., sha256) instead of just md5 and sha1, both of
which are broken.

Joseph C. Sible

On Fri, Jan 28, 2022 at 9:34 PM Anonymous <hyperowl@danwin1210.de> wrote:
>
> You only publish release checksums. The resulting scheme is weak: I need
> to trust HTTPS which is security theatre given how vulnerable CAs are.
> Please consider publishing cryptographic signatures of some kind
> (gpg/signify/whetever).
>

Follow-Ups:
- Re: gpg signatures for release tarballs?, Anonymous
- Re: gpg signatures for release tarballs?, Luiz Henrique de Figueiredo

References:
- gpg signatures for release tarballs?, Anonymous

Prev by Date: gpg signatures for release tarballs?
Next by Date: Re: gpg signatures for release tarballs?
Previous by thread: gpg signatures for release tarballs?
Next by thread: Re: gpg signatures for release tarballs?
Index(es):
- Date
- Thread