Hi cool people,
I tought that signing stable releases would be a pretty neat improvement in terms of security.
Plus it has a near zero cost of implementation. Also, it won’t affect users who don’t care. So it’s a win for everyone.
As for the signing mechanism I woud suggest using one of those, in the following order:
- Signify.
- Reop.
- OpenPGP.
(OpenPGP is better that nothing but 1 & 2 literally destroy it.)
Thanks for reading.
I forgot to link some info about the first to programs. (I’m assuming that everyone already knows OpenPGP.)
So here are some useful links about them:
Signify
A smoll utility designed only for signing stuff. Ages less complex than OpenPGP.
Reop
Similar to OpenPGP, but better. It’s not a hot glued mess.
OpenPGP.
Don’t. Some articles about it are linked in the blogpost about reop.
yeah, given that we update from a near-arbitrary URL, a verification wouldn’t be the worst idea in the world
i’ll look into it~
1 Like
Thanks for considering this.
:D
Implemented as of Akkoma stable 2022.09 - modified in translation
thanks for letting me know about this~
1 Like