5 Jul
2023
5 Jul
'23
6:11 p.m.
On Thu, 6 Jul 2023 at 04:08, Gregory Disney <gregory.disney.leugers@gmail.com> wrote:
Why not just use gpg signatures and maintain trusted signing keys? There’s no reason to reinvent the wheel. If a user wants to use a unsigned or untrusted packages, they have to accept the risk.
As an alternative to a blockchain? No idea, but I've never considered blockchains to be useful for anything more than toys anyway. As an alternative to a curated package list? That just comes down to who holds the trusted keys, so it's the same as the other suggestions, only you're looking at the mechanics for knowing whether it's on the list, as opposed to the mechanics for figuring out which things go on the list - two sides of the same coin, pretty much. ChrisA