From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on dcvr.yhbt.net X-Spam-Level: X-Spam-ASN: AS33070 50.56.128.0/17 X-Spam-Status: No, score=-0.2 required=5.0 tests=AWL shortcircuit=no autolearn=unavailable version=3.3.2 X-Original-To: archivist@yhbt.net Delivered-To: archivist@dcvr.yhbt.net Received: from rubyforge.org (50-56-192-79.static.cloud-ips.com [50.56.192.79]) by dcvr.yhbt.net (Postfix) with ESMTP id 335D41F430 for ; Mon, 11 Mar 2013 23:59:24 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by rubyforge.org (Postfix) with ESMTP id 504E22E0A4; Mon, 11 Mar 2013 23:59:25 +0000 (UTC) X-Original-To: mongrel-unicorn@rubyforge.org Delivered-To: mongrel-unicorn@rubyforge.org Received: from dcvr.yhbt.net (dcvr.yhbt.net [64.71.152.64]) by rubyforge.org (Postfix) with ESMTP id DF4152E069 for ; Mon, 11 Mar 2013 23:59:19 +0000 (UTC) Received: from localhost (dcvr.yhbt.net [127.0.0.1]) by dcvr.yhbt.net (Postfix) with ESMTP id C02571F425; Mon, 11 Mar 2013 23:59:17 +0000 (UTC) Date: Mon, 11 Mar 2013 23:59:17 +0000 From: Eric Wong To: unicorn list Subject: Re: Signing the gem with a PGP key Message-ID: <20130311235917.GA973@dcvr.yhbt.net> References: <20130311224812.GA26407@dcvr.yhbt.net> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) X-BeenThere: mongrel-unicorn@rubyforge.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: mongrel-unicorn-bounces@rubyforge.org Errors-To: mongrel-unicorn-bounces@rubyforge.org Hongli Lai wrote: > On Mon, Mar 11, 2013 at 11:48 PM, Eric Wong wrote: > > Can we designate gems be signed by a trusted third party (e.g. you?) > > That's how Debian (and presumably other OS distros work). > > > > _Nobody_ should trust me. I have and maintain zero credibility. > > The only credibility any unicorn has is what its users give it. > > Well the kind of trust we're talking about here is not trustworthiness > (i.e. "does the software work well and will it refrain from formatting > my harddisk?"), but authenticity ("is this gem made by the Unicorn and > not someone pretending to be him?"). Given that definition of "trust", > having a third party sign the gem is not very useful, and letting you > sign the gem will not make it a statement about trustworthiness, > warranty or credibility. > > What do you think? The only thing that matters in the end is whether the code is good or not. I have the same likelyhood of having my GPG key compromised as I do of writing broken code that breaks things horribly: a very likely one. I make my commits public and and send patches to mailing lists to encourage others to verify what I'm doing isn't horribly broken. I never tell anybody to accept patches/code based on who wrote it; same goes for gems/tarballs. So yes, gems/tarballs should have the same level of scrutiny as every commit. If somebody else assumed my identity, but continued doing things in the way I've done in the past; unicorn users would not (nor should they) notice the difference. That may've already happened :) _______________________________________________ Unicorn mailing list - mongrel-unicorn@rubyforge.org http://rubyforge.org/mailman/listinfo/mongrel-unicorn Do not quote signatures (like this one) or top post when replying