I'm conflicted on this one, so I'll do a write up. PGP is a complex tool to do a simple thing, and it's fine used properly for that.https://twitter.com/sweis/status/806163180762370048 …
Point was the interface though: having a cmd "verify this signed file against this key file" vs pgp stateful keyring
-
-
It's nice to have that, but it's also nice to have a way to automatically fetch them and store them for easy TOFU.
-
GPG is terrible, sure. There aren't great alternatives though. Important to have a trusted way to obtain the tool too.
-
Git signed tags are particularly bad since they are really only signing the last hash in a chain of sha1 hashes...
-
There are no practical attacks now or likely in the immediate future, but yes.
-
git should probably just add a secondary hash algorithm alongside sha1 in a backwards-compatible way.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.