You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This is a big hole in the system: How much worth is OPAM checking all package signatures if I can't trust to have an unmodified version of the OPAM tool itself?
One might leverage on e.g. Debian package signatures, but the Debian maintainers have the same problem as myself: How do they verify the next OPAM version? Also, what if I want to use the latest OPAM version during the time it is not yet available on Debian? The same holds for Fedora and all other distros.
So I propose to provide a signed SHA512 checksums file for every OPAM release, that contain the checksums of all source and binary tarballs, using one or two GPG keys that will remain stable over a long time period.
The text was updated successfully, but these errors were encountered:
This was fixed for opam 2.0.1 - we sign the release binaries and the full sources tarball. We can't control the source artefacts produced by GitHub (but it's always possible to use the full sources tarball instead).
While I applaud the efforts to distribute signed packages through OPAM (https://opam.ocaml.org/blog/Signing-the-opam-repository/), signatures for the source and binary tarballs of OPAM itself are still missing.
This is a big hole in the system: How much worth is OPAM checking all package signatures if I can't trust to have an unmodified version of the OPAM tool itself?
One might leverage on e.g. Debian package signatures, but the Debian maintainers have the same problem as myself: How do they verify the next OPAM version? Also, what if I want to use the latest OPAM version during the time it is not yet available on Debian? The same holds for Fedora and all other distros.
So I propose to provide a signed SHA512 checksums file for every OPAM release, that contain the checksums of all source and binary tarballs, using one or two GPG keys that will remain stable over a long time period.
The text was updated successfully, but these errors were encountered: