I've been thinking about using Blockchain-based technology -- I'm looking at using Namecoin for a proof-of-concept implementation, but open to other ideas -- to solve the "trusting on first use" problem.
Access to a Namecoin blockchain (either locally or via a trusted server) would allow the Gradle Witness plugin to check PGP signatures on JARs without trusting the files on a central repository.
I've been thinking about using Blockchain-based technology -- I'm looking at using Namecoin for a proof-of-concept implementation, but open to other ideas -- to solve the "trusting on first use" problem.
Access to a Namecoin blockchain (either locally or via a trusted server) would allow the Gradle Witness plugin to check PGP signatures on JARs without trusting the files on a central repository.
I've drafted a topic paper, "Blockchain-based Trust for Software Components" for the Rebooting the Web of Trust conference and am thinking about using the Gradle Witness Plugin as a starting point for a proof-of-concept implementation.
Any feedback or assistance would be greatly appreciated. If there's interest the end result could be a pull-request to the Gradle Witness Plugin.