From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on dcvr.yhbt.net X-Spam-Level: X-Spam-ASN: AS33070 50.56.128.0/17 X-Spam-Status: No, score=-0.0 required=5.0 tests=AWL,T_DKIM_INVALID shortcircuit=no autolearn=unavailable version=3.3.2 X-Original-To: archivist@yhbt.net Delivered-To: archivist@dcvr.yhbt.net Received: from rubyforge.org (50-56-192-79.static.cloud-ips.com [50.56.192.79]) by dcvr.yhbt.net (Postfix) with ESMTP id 39A001F42E for ; Mon, 11 Mar 2013 23:11:39 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by rubyforge.org (Postfix) with ESMTP id 191B42E0A8; Mon, 11 Mar 2013 23:11:40 +0000 (UTC) X-Original-To: mongrel-unicorn@rubyforge.org Delivered-To: mongrel-unicorn@rubyforge.org Received: from mail-ie0-f170.google.com (mail-ie0-f170.google.com [209.85.223.170]) by rubyforge.org (Postfix) with ESMTP id 2CF6A2E099 for ; Mon, 11 Mar 2013 23:11:34 +0000 (UTC) Received: by mail-ie0-f170.google.com with SMTP id c11so5586617ieb.15 for ; Mon, 11 Mar 2013 16:11:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:content-type; bh=FSDBFLQtKHnNvSuoxV08jimHul8+0TapkiSH2RdiQhQ=; b=uIkILBHJgAAif1DPRh6OeoKeQHz6jp9bc432trnbWtxEFeWMqdXusZGmG1X8YrATFi UmSzbt9vM8iEFbl3LvL1WY0NW+KQFVBALigNa3or9kXb6DWeGVrUmc4YO1P1V1nXC9Qt OzH4T4DXDmCdXS9V5svy/eRYToCD3ubxlKB4Bzr+c2NQK0/azAbK2gqVWp9flBAKNS5c OtyA7xmmRdeSCH6bhTmVXpm8/e9vplOGdGGja1IGfkGox927zyCFToV92AXlMJvZphZc ewbgJxD0fE74OJj6GNBQk+XJCVZ0GcnVknBWamMaqkF7+xw6uP+Qx+lSYs5sJD9c4XTE NgsQ== X-Received: by 10.50.135.8 with SMTP id po8mr9209224igb.41.1363043492425; Mon, 11 Mar 2013 16:11:32 -0700 (PDT) MIME-Version: 1.0 Received: by 10.64.73.33 with HTTP; Mon, 11 Mar 2013 16:10:52 -0700 (PDT) In-Reply-To: <20130311224812.GA26407@dcvr.yhbt.net> References: <20130311224812.GA26407@dcvr.yhbt.net> From: Hongli Lai Date: Tue, 12 Mar 2013 00:10:52 +0100 X-Google-Sender-Auth: WVFOtUrAe2ODQAFWT_YsHZfqd6Y Message-ID: Subject: Re: Signing the gem with a PGP key To: unicorn list X-BeenThere: mongrel-unicorn@rubyforge.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: mongrel-unicorn-bounces@rubyforge.org Errors-To: mongrel-unicorn-bounces@rubyforge.org On Mon, Mar 11, 2013 at 11:48 PM, Eric Wong wrote: > Can we designate gems be signed by a trusted third party (e.g. you?) > That's how Debian (and presumably other OS distros work). > > _Nobody_ should trust me. I have and maintain zero credibility. > The only credibility any unicorn has is what its users give it. Well the kind of trust we're talking about here is not trustworthiness (i.e. "does the software work well and will it refrain from formatting my harddisk?"), but authenticity ("is this gem made by the Unicorn and not someone pretending to be him?"). Given that definition of "trust", having a third party sign the gem is not very useful, and letting you sign the gem will not make it a statement about trustworthiness, warranty or credibility. What do you think? -- Phusion | Ruby & Rails deployment, scaling and tuning solutions Web: http://www.phusion.nl/ E-mail: info@phusion.nl Chamber of commerce no: 08173483 (The Netherlands) _______________________________________________ Unicorn mailing list - mongrel-unicorn@rubyforge.org http://rubyforge.org/mailman/listinfo/mongrel-unicorn Do not quote signatures (like this one) or top post when replying