|
|
|
|
|
|
by raesene3
3733 days ago
|
|
|
Indeed package signing is not the holy grail and won't solve all problems, but it is a part of a secure system. For the problem this blog post talks about, I personally think that keybase is the right solution. You can tie a key to a github repository amongst others and then validate that the package you're installing came from the person who put the code on github in the first place... |
|
|