[Catalog-sig] [Draft] Package signing and verification process
Lennart Regebro
regebro at gmail.com
Wed Feb 6 21:08:52 CET 2013
On Wed, Feb 6, 2013 at 8:51 PM, Zygmunt Krynicki
<zygmunt.krynicki at canonical.com> wrote:
> That is a one time operation.
It is, for Plone, a several hundred times operation. This is not a
feasible path.
> Sorry, you are right. My example assumed you were familiar with what
> I'm doing with distrust (https://github.com/zyga/distrust) where it
> works just as well for current unsigned software.
That's just asking users to manually verify each package they
download. They already do not do that. We need to solve that problem.
Just asking them to do it is not going to solve anything.
//Lennart
More information about the Catalog-SIG
mailing list