How do I verify downloaded code? #
Public blockchains often end up using a centralized entry point for canonicalization and authentication. Consensus algorithms can be susceptible to majority attacks, and transparency logs are more mature and capable for what we aim to build with sigstore.
This seems to originate in this commit, which changes the question from Why not use a blockchain? to How do I verify downloaded code?, while keeping the answer (mostly) the same.
The solution would be to change the question back to Why not use a blockchain?.
Description
The current FAQ in the docs has a question with an answer that doesn't seem to make much sense:
Link here: https://docs.sigstore.dev/about/faq/#how-do-i-verify-downloaded-code
This seems to originate in this commit, which changes the question from
Why not use a blockchain?
toHow do I verify downloaded code?
, while keeping the answer (mostly) the same.The solution would be to change the question back to
Why not use a blockchain?
.PR open here: https://github.com/sigstore/docs/pull/295