Comments (3)
This is still a high priority for me, but I'm going to wait until after the second beta to address it.
from airship.
I've decided against automating this verification. Instead, the information should be available to the end user. The tools (barge and Pharaoh) already exist to perform this verification.
Every extension update that goes into Keyggdrasil should include the current URI of the version control software and the commit hash of that update. This way, the information is public and auditable. If someone wants to verify that the package in the archive is the same one they build from the source code, they can. If even one person does, since everyone sees the same thing, it strengthens the security of everyone.
Caveat: Only open source packages can be truly delivered securely.
Thanks @defuse for confirming we don't need this to be automated and provided for the users.
from airship.
Yep, exactly right.
from airship.
Related Issues (20)
- PHP Warning: symlink(): File exists in /src/Installer/Commands.php on line 41 HOT 1
- Version 2.0.0 is postponed until PHP 7.2
- Version 2: Better Naming Conventions HOT 1
- Automated Vulnerability Scanning
- Deep Static Analysis and Unit Testing HOT 11
- Consistent Use of Regular Expressions
- Prevent super long email addresses
- For admins, the authors List should show yours first HOT 1
- Can't Install on CentOS 7? HOT 3
- Intent to Abandon Version 1 HOT 2
- Airship 2 doesn't see sodium from PHP 7.2 HOT 2
- "Outdated Version of Libsodium" notice from public/launch.php on PHP 7.2 HOT 4
- "Undefined index: email" when trying to launch airship HOT 3
- Keyggdrasil failed, Automatic update - signature failure, Call to undefined function textdomain() HOT 10
- Insecure links and loading HOT 9
- Tear Down Keyggdrasil, use a Chronicle Instead
- Non-Blocking I/O Servers Support ( Swoole, ReactPHP, Amp ... etc ) HOT 4
- Background on Codebase
- CSRF Array to String Error
- blank screen after creating account HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from airship.