

Cryptographic signature verification of build dependencies - SanderMak
http://branchandbound.net/blog/security/2012/08/verify-dependencies-using-pgp/

======
SanderMak
Would be interested to compare this approach to other similar systems (e.g.
Ruby Gems, CPAN, NuGet). At first blush it seems like none of these provide
any mechanism to check the authenticity of artifacts.

