Open rkhamis opened 6 years ago
commented by @zaibon Who is going to verify the flists ?
commented by @grimpy @zaibon can't we just add GPG signatures? So its verified the owner did it
commented by @zaibon OK I misunderstood the point here. I though the point was to verify the content of the flist to see if nothing fishy was put inside. But if just we want to be able to verify integrity after download, I guess GPG is a good solution
commented by @maxux That's why we have « official » repository (cf. https://staging.hub.gig.tech:4430/). I think only official repositories can be trusted, the others contains flist « as it », and you should be careful with them.
Issue migrated from [https://api.github.com/repos/zero-os/0-hub/issues/6](), opened by @yveskerwyn
In order to prevent attackers to publish infected flist Dbs
Signed FlistDBs are more secure, trustworthy
We should support this from day one... Docker only introduced this feature with Docker Content Trust later, it automatically signs and verifies the signature of a publisher.
Also the Docker alternative rkt has this capability since inception, signature verification is done by default.