On Jun 1, 2017, at 8:15 PM, Matt Joyce <matt@nycresistor.com> wrote:Or start doing signed pgp for package maintainers and build a transitive trust model.PGP is not useful for our use case except as a generic crypto primitive, and there are better generic crypto primitives out there. See https://caremad.io/posts/2013/07/packaging-signing-not- holy-grail/
—
Donald Stufft