Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.
Sign upDiscuss and implement PGP support. #58
Comments
dpc
added
enhancement
help needed
design
labels
Dec 13, 2018
This comment has been minimized.
This comment has been minimized.
stevenroose
commented
Dec 14, 2018
|
I think it makes sense to reuse existing key infrastructure like PGP yes. Though trusting a PGP identity should of course not be equal to trusting his code reviews ;) |
This comment has been minimized.
This comment has been minimized.
|
@stevenroose Yes. GPG's WoT is completely out of the picture for Crev. WoT-s between GPG and Crev serve different purposes: confirming that underlying identity is true vs trusting someones code reviews. |
This comment has been minimized.
This comment has been minimized.
stevenroose
commented
Dec 18, 2018
|
But that doesn't take away the utility of using PGP identities for crev, though. |
This comment has been minimized.
This comment has been minimized.
|
I have created this ticket for a reason. I'm not disputing utility of supporting PGP. |
dpc
added this to the cargo-crev 1.0 milestone
Dec 23, 2018
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
dpc commentedDec 13, 2018
I am a heavy GPG user, and I belive it's a PITA for a mass audience. But it's almost the only game in town for hardware keys support, so security-minded people will probably want to use that.
GPG support is not implemented, but can be added at later time.
The identity would look like this:
The exported public key will be embedded into git repo somewhere.The pgp WoT won't be involved at all here: just 1:1 match between the ID and gpg identity to use to check the signatures against.
Also, review timestamp should be checked to within time of life of a PGP identity.
When the PGP key goes out of life, the author will just create a new one, and set the trust to the old one as
high.It should be fairly straightforward to add, but it is not high on my personal priority list.