@orionwl wonder if this would be a good time to try bip322 sigs for releases?
@ajtowns @orionwl Web-of-trust works for it's intended audience: people who are taking the time to actually verify something rather than just relying on their web browsers.
Re: multisig, just sticking a few different signatures on releases manually is fine. Anyone verifying this stuff to that level is verifying it manually anyway. And PGP *does* allow for multiple signatures on one file, even in things like git commits.
@pete @orionwl manually verifying things doesn't scale, that's why apt and the like verify signatures automatically. You have to trust/verify you got the initial installation right and haven't been compromised since, but automation makes staying up to date easier. Automating gpg is pretty painful, and we have or own signing tools that we have to maintain anyway. but *shrug* - I've done the adding gpg stuff with apt already, don't need to climb that mountain again.
@ajtowns @orionwl ...apt uses PGP behind the scenes...
Anyway, "doesn't scale" is irrelevant. The actual use-case of PGP is for the experts to verify that high value use-cases are correct. Including that the automated systems are correct.
Don't get fooled by propaganda from academic cryptographers who have every reason to shit on an inherently fuzzy, human, problem that their math credentials can't solve.
@ajtowns @orionwl In particular, it is _very_ likely that at least some of those academics are literally being paid off by the likes of the NSA to discourage the use of secure, decentralized, tech.
We know from the Snowden leaks that GnuPGP was one of the things they had severe problems compromising reliably. Equally, the PGP _mindset_ is one that makes for systems that are hard to compromise.
