Interest in other signature libs/tools?

[Jeremy Huntwork]

On Thu, Dec 23, 2021 at 9:53 AM Allan McRae <allan at archlinux.org> wrote:
> Going into this blind having not looked at the other signing
> libraries...  but if there is substantial benefits of moving to another
> library, we would likely consider it.  Assuming there is rough feature
> parity.
>
> A skim of the asignify indicates you would need to trust every key that
> signs a package, and not use a web-of-trust approach?  In fact, I don't
> see a way to assign trust to specific keys.  I could be wrong here.

Yes, I believe with libraries in the pattern of minisign,
signify/asignify there is no support for a web-of-trust. For me that
isn't a problem for reasons I'll outline in a moment, but I think if
Arch were to adopt any of those libraries as standard, that would
involve a pretty fundamental shift in how you package and release, no
doubt a much larger discussion. I'm saying this without a completely
clear picture of your package release process, so I may be wrong.

The reason I don't see it as being a problem for me is that my intent
is to release authoritative packages from one source, a CI/CD pipeline
that is triggered off of the main repository. Validation and trust of
humans that are allowed to push to that repository and trigger
official releases can be handled via other mechanisms. Community
repositories might have slightly different requirements, but my
expectation is that every repository used could have one official
public key.

Anyway, I'm not trying to sell you on that model or suggest that Arch
adopt it. Just wondering if pacman itself is interested in supporting
it as an alternative for projects like mine.

Thanks again!

JH