[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Chicken-users] chicken-install package integrity/signing

From: Jason Valencia
Subject: Re: [Chicken-users] chicken-install package integrity/signing
Date: Sun, 23 Dec 2018 00:11:51 +0000

Thomas Chust wrote:
> Hello,
> implementing package signatures is technically not such a big deal
> (see the experimental example script here: 
> :-)
> But we need to decide who should be responsible for signatures and
> which keys should be trusted by the package manager. The simplest
> solution would probably be to have one trusted signing key and
> signatures applied automatically by the package server. However,
> this is not the most secure solution.
> The best guarantees for authenticity of the egg code would be given
> by signatures from the original package authors, however
> implementing that may require a significant infrastructural overhead
> to maintain up-to-date lists of current keys and which eggs they are
> allowed to sign.

Until this is resolved, is anyone aware of good ways to install eggs
more securely? A couple options come to mind but they seem overkill.

 - Running a local egg mirror with henrietta as it looks like it can
   fetch over HTTPS

 - Downloading packages with chicken-install -retrieve (to just
   download instead of installing) and manually inspecting each one

reply via email to

[Prev in Thread] Current Thread [Next in Thread]