undefined | Better HN

0 points0x05y ago0 comments

You could probably post a gpg-signed url to the blockchain, and scan the blockchain for new urls signed by a known gpg key. Or something like that.

0 comments

3 comments · 1 top-level

jasode5y ago· 2 in thread

The gpg approach doesn't seem that reliable. Let's look at the paragraph about history of youtube-dl from wikipedia[1]:

>History youtube-dl was created in 2008 by Ricardo Garcia.[4] Initially, only YouTube was supported, but as the project grew, it began supporting other video sharing websites.[5] Ricardo Garcia stepped down as maintainer in 2011 and was replaced with phihag, who later stepped down and was replaced with dstftw.[6]

Would that be 3 different gpg signatures?

- gpg for Ricardo Garcia

- gpg for phihag

- gpg for dstftw

What would be the deterministic programming code algorithm to find the future unknown gpg signature for the latest non-malware version of youtube-dl on the blockchain?

Conceivably, one could create a project-specific gpg signature (private key shared with future authors) instead of human-author-specific gpg signer. Is that collaboration scenario common?

[1] https://en.wikipedia.org/wiki/Youtube-dl#History

philsnow5y ago

Have each outgoing maintainer sign a string "I approve <new maintainer> whose public gpg is <public gpg key>"?

Doesn't work if latest maintainer loses access to their private key or dies or anything like that though.

0x0OP5y ago

That's how android apks work. An app is signed with a public/private key combo, updates must match the same key. Surely something similar could be conceived. Keys could have an expiration date and someone would just need to post a signed update before it expires that implements an additional new key, then you could even upgrade extremely old versions through a couple of steps.

j / k navigate · click thread line to collapse