[opam-devel] Package signing (was Re: OPAM 1.3 roadmap)

Hannes Mehnert hannes at mehnert.org
Wed Mar 11 14:46:34 GMT 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA384

On 03/11/2015 13:36, Daniel Bünzli wrote:
> 
> 
> Le mercredi, 11 mars 2015 à 12:57, Hannes Mehnert a écrit :
> 
>> I'd leave pins to git+ssh for now alone.. using signed commits
>> open another whole can of worms.
> 
> I considered that for mitigating the lack of https on erratique.ch
> at some point but the pgp stuff put me off.  I feel a little bit
> guilty at the moment as I think I must be the sum of all known bad
> practices regarding distribution tarballs (no checksum,
> distribution over http).
> 
> Lack of https should be remedied at some point but the bureaucracy
> involved is too high for me at the moment. I tried with a free
> one-year StartCom certificate last year on another domain, but
> their terrible UI, lack of guidance, in conjunction with my hosting
> company setup made the renewal so painful that I let it expire...
> Anil, if I remember correctly you did try the gandi.net
> certificates, is the user experience maybe a little bit better
> there ? Their single address certificate for three years [1] (so
> that I don't have to bother for some time) seem reasonably priced
> and affordable.

Daniel,

I'd wait for summer/autumn until https://letsencrypt.org/ people are
ready.  Those commercial CAs sell you snakeoil and it is a waste of money.


Hannes

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCQAGBQJVAFVKAAoJELyJZYjffCjuROYQAKjK7oPoLJRjRdKLCBPNABc1
pAkxLW4dh1hPiOTlgEenQAqZZlMhLs8dKs5Mqm9ylRFa2xTY6PNowUeK2tFiEyBA
QfMVvA/Udouoku5aeMbO4aCfCbqVhbLTMCDJuVtaBHMz99jfry+ul5RFJJg5gr95
hrQF/ObCRKBTeHc6FrPjSCoOdG/0Mdybo7P905i/YJNuGyhBbp281dKArw4cxpZb
ddJOc6oYG95a+11UvzCaaS78lxv4N6LIJBmqUIlBetO8h3G/7cFgrXGp+8ICKD6q
blex4/W3EvQjrWo1NWNUflf36If3avreLB59zZiKL88rqQxWgDK/seCzhp7qEo05
is8EusZjvmtWpgKXgsNWuS73+D/dsY23Zrx0ujn60TlcIocjHBPD2JpaeC8k36qo
StPlO5vDXe1o8E2ebKR7qKOSLO+w7Pic+P5Sv6POVszZHjOvykxa3PcZpA/RaImR
GBncKLj9JHc/pXNnfceEe54qGEN+ohjGL0Z0I1zSJSXin3kAW5XbRZthQ2LIQHtw
RbcdLJYJPunhJO9Ijo08DO9OkhrajQzRfEhOsiYqyeH78bo3wVJOhrtzpVzOUQgF
jgXGVvtgO9pcasvKWCKZQ2yhlnXKKCeeHg87D8v2vK5Z5RBGqXQnohG6LcbRevv8
Id/lHMLws/JgOzrQaMgw
=pNvx
-----END PGP SIGNATURE-----


More information about the opam-devel mailing list