Interest in other signature libs/tools?
Jeremy Huntwork
jeremy at merelinux.org
Thu Dec 23 15:30:24 UTC 2021
On Thu, Dec 23, 2021 at 10:14 AM Jeremy Huntwork <jeremy at merelinux.org> wrote:
> The reason I don't see it as being a problem for me is that my intent
> is to release authoritative packages from one source, a CI/CD pipeline
> that is triggered off of the main repository. Validation and trust of
> humans that are allowed to push to that repository and trigger
> official releases can be handled via other mechanisms. Community
> repositories might have slightly different requirements, but my
> expectation is that every repository used could have one official
> public key.
I suppose if I did have a reason for supporting multiple keys, those
would all have to be shipped/installed together and then pacman could
loop through them until one of them validates the sig. asignify is
fast enough though because of its methods and algorithms used (blake2)
that I don't really see that as an issue either.
JH
More information about the pacman-dev
mailing list