foliage icon indicating copy to clipboard operation
foliage copied to clipboard

Published 20 hours ago • verified publisher icon input-output-hk

Maybe don't auto-generate keys?

Open michaelpj opened this issue 3 years ago • 4 comments

Given that

  1. There is a command to create keys
  2. There is a way to build without keys
  3. Building with a freshly created set of keys is rarely what you want

I think it would be reasonable to not automatically generate keys. It mostly makes it easier to do 3 by accident, which is rarely what you want.

michaelpj avatar Nov 01 '22 14:11 michaelpj

Brainstorming: perhaps we should flip the polarity and not sign by default, unless you explicitly say to do so.

Then we'd want a way to prevent people from forgetting, maybe we want a repo.toml in the root that specifies whether the repo is supposed to be secure or not. Then it's all very explicit.

michaelpj avatar Nov 01 '22 14:11 michaelpj

perhaps we should flip the polarity and not sign by default, unless you explicitly say to do so.

I think this is a good idea. To be fair, I thought signatures were required when I first started working on this.

andreabedini avatar Nov 02 '22 09:11 andreabedini

@michaelpj see https://github.com/andreabedini/foliage/pull/23

andreabedini avatar Nov 04 '22 02:11 andreabedini

Yes, I agree that automatic key generation should not be enabled by default. This behavior has lead to some very surprising bugs in my experience.

bgamari avatar Mar 21 '23 13:03 bgamari