Re: pkgsrc binary packages security with pkgin

[Johnny Billquist <bqt%update.uu.se@localhost>]

On 2020-01-31 12:39, Johnny Billquist wrote:
> On 2020-01-31 12:37, Manuel Bouyer wrote:
> > On Fri, Jan 31, 2020 at 12:32:06PM +0100, Johnny Billquist wrote:
> > > Of course you can. But then you need to have a whole list of trusted 
> > > public
> > > keys that needs to be managed, which again leads to the question of 
> > > which
> > > keys are now the acceptable ones. And how to you trust new builders? Can
> > > anyone then be added to the list of official builders of packages, or 
> > > how to
> > > you manage that side?
> > > Key management is not trivial.
> >
> > Of course it's not. But this is not really a technical issue.
>
> Security is never a technical issue, more than at the surface...

(Which is why I objected to the implication that https is important, and 
somehow adds some security here in the first place.)

  Johnny

--
Johnny Billquist                  || "I'm on a bus
                                  ||  on a psychedelic trip
email: bqt%softjar.se@localhost             ||  Reading murder books
pdp is alive!                     ||  tryin' to stay hip" - B. Idol