On Thu, Aug 8, 2019 at 6:23 PM François Kooman <fkooman@xxxxxxxxx> wrote:
As for the current status quo, i.e. PGP, see [2,3], it would be fair to
hold PGP (GnuPG) to the same standards... Based on its history of
vulnerabilities I don't really trust it for anything. I'm sure you can
use it safely if you are an expert and don't use key servers, but well,
I don't trust myself with PGP... That is also the main reason I am in
the process of switching to signify/Minisign for my own projects.
Thanks for posting this. I haven't gone into the weeds regarding PGP vulnerabilities, but completely
agree that PGP is absurdly complex to use. Minisign looks to be a simpler alternative that most likely
will grow in popularity once people are educated about it. Seems like a good idea to also include it in the guidelines.
_______________________________________________ packaging mailing list -- packaging@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to packaging-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/packaging@xxxxxxxxxxxxxxxxxxxxxxx
