Ximin Luo: > Signatures provide a way to for us to aggregate public trust on binaries that > don't build themselves. So it's important to have multiple and *very direct* > meanings of what-is-being-signed, to avoid a transitive-trust situation. >
I sent this in a rush; better version: Signatures provide a way to for us to aggregate public trust on binaries that people don't build themselves. So it's important to have multiple and *very direct* meanings of what-is-being-signed, strongly associated to the signer, to avoid a transitive-trust situation. -- GPG: ed25519/56034877E1F87C35 GPG: rsa4096/1318EFAC5FBBDBCE https://github.com/infinity0/pubkeys.git
