Open Kixunil opened 1 year ago
I agree with the idea, if the team wants to, they can do something like tails team does that is share a key with a selected member of members using for example Shamir's_secret_sharing and having backup people.
@aikooo7 SSSS is not really suitable for this. Just make multiple signatures so that we can avoid problems if one of the signing machines is compromised.
This is basically a replacement of #537
To avoid
cargo-crev
itself being compromised it'd be helpful for a few independent developers to sign its, deterministically-built, binary and publish it with release. This also bypasses the problem of getting the newest Rust from trusted source (assuming the maintainers did).GPG is widely-used, understood and available in distros so I think it's the best choice. The keys can be distributed via keybase or other independent channels.