GNU bug report logs - #47634
Accompany .asc and .DIGESTS keys for the ISO

Previous Next

Package: guix;

Reported by: bo0od <bo0od <at> riseup.net>

Date: Wed, 7 Apr 2021 05:43:01 UTC

Severity: normal

Tags: wontfix

Done: Ludovic Courtès <ludo <at> gnu.org>

Bug is archived. No further changes may be made.

Full log

Message #32 received at 47634 <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: Carlo Zancanaro <carlo <at> zancanaro.id.au>
Cc: bo0od <bo0od <at> riseup.net>, 47634 <at> debbugs.gnu.org
Subject: Re: bug#47634: Accompany .asc and .DIGESTS keys for the ISO
Date: Sun, 18 Apr 2021 12:40:10 +0200

Hi all,

Carlo Zancanaro <carlo <at> zancanaro.id.au> skribis:

> I'm not convinced there's much value to add anything beyond the
> signatures, and I think there is some cost. Having multiple 
> verification options makes the download page more confusing (by
> providing more choices to do the same thing), and may make it less 
> likely that people do any verification.

Agreed.

> I think there may be a larger conversation to have around using
> something like Signify rather than PGP/GPG, but I'm not familiar 
> enough with Signify to have an opinion about that at the moment.

Right.  OpenPGP isn’t great for software signing, but it’s widespread,
and that’s an important criterion if we are to allow users to
authenticate what they download.  Tools like Signify are certainly worth
looking at, but I see it as a longer-term option.

I’m closing this issue since it’s not really actionable.

Thanks,
Ludo’.
This bug report was last modified 4 years and 39 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.