logoalt Hacker News

brabelyesterday at 11:58 AM1 replyview on HN

You don’t need certificates , just use PGP keys like Maven.


Replies

gruezyesterday at 1:23 PM

PGP keys don't tell you anything about a developers "real identity". Theoretically theres some "web of trust", but realistically everyone just blindly downloads whatever PGP key is listed on the repo's install instructions.

show 1 reply