On Thu, Dec 23, 2021 at 9:53 AM Allan McRae <allan@archlinux.org> wrote:
Going into this blind having not looked at the other signing libraries... but if there is substantial benefits of moving to another library, we would likely consider it. Assuming there is rough feature parity.
A skim of the asignify indicates you would need to trust every key that signs a package, and not use a web-of-trust approach? In fact, I don't see a way to assign trust to specific keys. I could be wrong here.
Yes, I believe with libraries in the pattern of minisign, signify/asignify there is no support for a web-of-trust. For me that isn't a problem for reasons I'll outline in a moment, but I think if Arch were to adopt any of those libraries as standard, that would involve a pretty fundamental shift in how you package and release, no doubt a much larger discussion. I'm saying this without a completely clear picture of your package release process, so I may be wrong. The reason I don't see it as being a problem for me is that my intent is to release authoritative packages from one source, a CI/CD pipeline that is triggered off of the main repository. Validation and trust of humans that are allowed to push to that repository and trigger official releases can be handled via other mechanisms. Community repositories might have slightly different requirements, but my expectation is that every repository used could have one official public key. Anyway, I'm not trying to sell you on that model or suggest that Arch adopt it. Just wondering if pacman itself is interested in supporting it as an alternative for projects like mine. Thanks again! JH