undefined | Better HN

0 pointsjvanderbot2y ago0 comments

I agree, but I think that model of GPG is not how it's used any more. I think nowadays people upload a one-shot CI key, which is used to sign builds. So you're basically saying "The usual machine built this". Which is good information, don't get me wrong, but it's much less secure than "John was logged into his laptop and entered the password for the key that signed this"

So, you're right, that GPG verifies source, whereas TLS verifies distribution. I suppose those can be very different things.

Perhaps counter example: https://launchpad.net/~lubuntu-ci/+archive/ubuntu/stable-bac...

> The packages here are from the latest upstream release with WORK IN PROGRESS packaging, built from our repositories on Phabricator. These are going to be manually uploaded to the Backports PPA once they are considered stable.

And presumably "manually" means "signed and uploaded"

0 comments

spookie2y ago

No established GNU/Linux distribution is going to half ass GPG signing as you've implied.

jvanderbotOP2y ago

Which part is half ass? Manual or automatic?

spookie2y ago

One shot CI keys. I guess I shouldn't have used that term, it certainly is more work that doing otherwise.

Nevertheless, their advantages offer nothing of value in this context. At least, I think so. Correct me if I'm wrong.

j / k navigate · click thread line to collapse

0 comments

spookie2y ago

No established GNU/Linux distribution is going to half ass GPG signing as you've implied.

jvanderbotOP2y ago

Which part is half ass? Manual or automatic?

spookie2y ago

One shot CI keys. I guess I shouldn't have used that term, it certainly is more work that doing otherwise.

Nevertheless, their advantages offer nothing of value in this context. At least, I think so. Correct me if I'm wrong.

j / k navigate · click thread line to collapse