|
|
|
|
|
|
by afiori
1480 days ago
|
|
|
I believe that adding key handling as a necessary step for npm, docker, and similar registries isn't a good idea. But it would be easy to sign all packages: if the author has decided not to use signatures the registry adds it's own signature, at any moment the author can choose to start using their own keys in place of the registrie's |
|
|