Hacker News new | past | comments | ask | show | jobs | submit login

That would probably be doable using a PGP-style trust system. Don't know if it'd add much security in practise though, since the "trust these declarations of trust" decision would most likely be automated.



Yeah, just GPG with Keybase and some place to publish the messages.

Trustworthy people wouldn't approve releases automatically... but then, who's trustworthy?

Like Pynchon wrote, paranoia is the garlic of life...


You still have to decide who to trust, but having a collection of many independent parties verifying a package can be a useful signal even if you don't have anyone directly in your trust chain. It makes it a lot harder for rogue releases to go unnoticed.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: