Dear Radicle,
Would you consider offering signed tarballs or the like for
installing? I'm afraid I'm too squeamish to install from an
unverified download. Perhaps you could publish a GPG key and later
use it to sign things?
I wish you success with the project.
--
Nick
Hi Nick,
Signing is definitely a concern for us and we discussed this in the scope of packaging 1.
Since Radicle is under heavy development we currently use a lightweight and fully automated
release process to get updates out quickly. This means for example that we implicitly trust the
CI services. How signatures would fit into this process is still a matter of discussion.
If you have any input into this or know of other projects that have a good strategy that we could
adapt please write us.
On Wed, Mar 13, 2019 at 11:25 AM ‘Nick’ via Radicle radicle@monadic.xyz wrote:
Dear Radicle,
Would you consider offering signed tarballs or the like for
installing? I’m afraid I’m too squeamish to install from an
unverified download. Perhaps you could publish a GPG key and later
use it to sign things?
I wish you success with the project.
–
Nick