From: Eric Wong <normalperson@yhbt.net>
To: unicorn list <mongrel-unicorn@rubyforge.org>
Subject: Re: Signing the gem with a PGP key
Date: Mon, 11 Mar 2013 23:59:17 +0000 [thread overview]
Message-ID: <20130311235917.GA973@dcvr.yhbt.net> (raw)
In-Reply-To: <CAM3ce8HGq+MMVUVK624mcO6caaBMDE=NnLWLRL8TA8vgpOZ1Jg@mail.gmail.com>
Hongli Lai <hongli@phusion.nl> wrote:
> On Mon, Mar 11, 2013 at 11:48 PM, Eric Wong <normalperson@yhbt.net> wrote:
> > Can we designate gems be signed by a trusted third party (e.g. you?)
> > That's how Debian (and presumably other OS distros work).
> >
> > _Nobody_ should trust me. I have and maintain zero credibility.
> > The only credibility any unicorn has is what its users give it.
>
> Well the kind of trust we're talking about here is not trustworthiness
> (i.e. "does the software work well and will it refrain from formatting
> my harddisk?"), but authenticity ("is this gem made by the Unicorn and
> not someone pretending to be him?"). Given that definition of "trust",
> having a third party sign the gem is not very useful, and letting you
> sign the gem will not make it a statement about trustworthiness,
> warranty or credibility.
>
> What do you think?
The only thing that matters in the end is whether the code is good or not.
I have the same likelyhood of having my GPG key compromised as I do of
writing broken code that breaks things horribly: a very likely one.
I make my commits public and and send patches to mailing lists to
encourage others to verify what I'm doing isn't horribly broken. I
never tell anybody to accept patches/code based on who wrote it; same
goes for gems/tarballs.
So yes, gems/tarballs should have the same level of scrutiny as every
commit.
If somebody else assumed my identity, but continued doing things in the
way I've done in the past; unicorn users would not (nor should they)
notice the difference. That may've already happened :)
_______________________________________________
Unicorn mailing list - mongrel-unicorn@rubyforge.org
http://rubyforge.org/mailman/listinfo/mongrel-unicorn
Do not quote signatures (like this one) or top post when replying
prev parent reply other threads:[~2013-03-11 23:59 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-03-11 19:57 Signing the gem with a PGP key Hongli Lai
2013-03-11 22:48 ` Eric Wong
2013-03-11 23:10 ` Hongli Lai
2013-03-11 23:59 ` Eric Wong [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://yhbt.net/unicorn/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130311235917.GA973@dcvr.yhbt.net \
--to=normalperson@yhbt.net \
--cc=mongrel-unicorn@rubyforge.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://yhbt.net/unicorn.git/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).