[opam-devel] Package signing (was Re: OPAM 1.3 roadmap)

Daniel Bünzli daniel.buenzli at erratique.ch
Wed Mar 11 13:36:15 GMT 2015



Le mercredi, 11 mars 2015 à 12:57, Hannes Mehnert a écrit :

> I'd leave pins to git+ssh for now alone.. using signed commits open
> another whole can of worms.

I considered that for mitigating the lack of https on erratique.ch at some point but the pgp stuff put me off.  I feel a little bit guilty at the moment as I think I must be the sum of all known bad practices regarding distribution tarballs (no checksum, distribution over http).  

Lack of https should be remedied at some point but the bureaucracy involved is too high for me at the moment. I tried with a free one-year StartCom certificate last year on another domain, but their terrible UI, lack of guidance, in conjunction with my hosting company setup made the renewal so painful that I let it expire... Anil, if I remember correctly you did try the gandi.net certificates, is the user experience maybe a little bit better there ? Their single address certificate for three years [1] (so that I don't have to bother for some time) seem reasonably priced and affordable.  

Best,

Daniel  

[1] https://www.gandi.net/ssl/standard#single


More information about the opam-devel mailing list