@KentonVarda @zooko @bascule all these should distribute and verify signed hashes. worst case this stupid thing: http://jbenet.github.io/hashpipe
-
-
Replying to @juanbenet
@juanbenet@zooko@bascule You've just moved the problem from authenticating the script to authenticating the signing key.2 replies 0 retweets 0 likes -
Replying to @KentonVarda
@KentonVarda@zooko@bascule yes and that's way easier. No free lunch, but wel-known PKI is easier than ad-hoc script inspection/auth.1 reply 0 retweets 0 likes -
Replying to @juanbenet
@juanbenet@zooko@bascule HTTPS is well-known PKI. Has some problems but realistically we all rely on it.2 replies 0 retweets 0 likes -
Replying to @KentonVarda
@KentonVarda@zooko@bascule yeah i don't think it's a good status quo. sucks we don't have something better, but shouldn't make it worse2 replies 0 retweets 0 likes -
Replying to @juanbenet
@KentonVarda@zooko@bascule of course, all can be (is) owned by some parties, but think atk surface smaller with alt PKI + signed releases1 reply 0 retweets 0 likes -
Replying to @juanbenet
@KentonVarda@zooko@bascule (says the guy _without_ signed releases... :] -- waiting on Go 1.5 for some _really nice_ bin delivery)1 reply 0 retweets 0 likes -
Replying to @juanbenet
@juanbenet@KentonVarda@zooko state-of-the-art is probably http://theupdateframework.com/ coming soon to PyPI and RubyGems1 reply 0 retweets 1 like -
Replying to @bascule
@juanbenet@KentonVarda@zooko should read the TUF paper if you haven't seen it already: http://freehaven.net/~arma/tuf-ccs2010.pdf …2 replies 0 retweets 2 likes -
Replying to @bascule
@bascule@KentonVarda@zooko thanks, i haven't will do.1 reply 0 retweets 1 like
@juanbenet @KentonVarda @zooko since you seem to be interested in Go: https://github.com/flynn/go-tuf
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.