Related issue: Signed binaries · Issue #7720 · HaxeFoundation/haxe · GitHub
Does anyone know anything about this? It’s the kind of thing where some small advice can easily save several developer hours.
Thanks in advance!
Posted at end of GitHub issue.
I commented there to the effect that I think that “the letsencrypt.org strategy will prevail.”
Certificates will be free and readily available, and people won’t be making phone-calls to find out if businesses exist.
To me, the most important thing is that the package is signed, which effectively detects and prevents modification of the package after the fact. Signing tells you that the package which you downloaded is, byte-for-byte, exactly what someone else, somewhere, “signed.”
-
It doesn’t tell you that the code is trustworthy and that it does not contain malice – nothing can. It does not, pragmatically speaking, “vouch for” the content nor the creator in any meaningful way. (Once again, nothing can.)
-
It does protect against tampering, and that is enough. It is an affirmation of package integrity, not content.
1 Like