Michael Altfield
Michael Altfield
+1 but note that interacting with Session users programmatically isn't just for 1337 h4x0rs who want to talk with their friends on their linux laptops over CLI; it would be...
See also https://github.com/hesiod-project/node-session-client/
@VityaSchel will it be possible to securely obtain it? npm is infamous for supply chain security issues.
I don't think we should consider any supply chain that requires the use of npm to be secure. Same for "downloading from github" -- except for releases that are cryptographically...
I also recommend adding a `KEYS` file to the root of your repo (located along-side files like `COPYING` and `AUTHORS`), per the [KEYS standard established by Apache](https://infra.apache.org/release-signing#keys-policy) * https://infra.apache.org/release-signing#keys-policy For...
> I do not see any repos I am involved doing that (eg: libusb, pyusb, avrdude, openocd, libftdi, hidapi, etc). Check Maven. 100% of the packages on [Apache Maven's central...
> What is missing here? Sorry if I was unclear: this ticket is asking for documentation. What's missing is documentation.
> At least I do not see anything like that in the official github repo. A good example is the [Apache Ant KEYS file](https://downloads.apache.org/ant/KEYS) * https://downloads.apache.org/ant/KEYS > They do not...
Here are some examples pages from open source projects documenting how their users can cryptographically verify their releases: * https://www.apache.org/info/verification.html#CheckingSignatures * https://docs.featherwallet.org/guides/linux#verifying-the-download-optional * https://support.torproject.org/tbb/how-to-verify-signature/ * https://ubuntu.com/tutorials/how-to-verify-ubuntu * https://tails.net/install/expert/index.en.html#verify-key * https://calyxos.org/install/verify/#additional-verification...
> I am also trying to understand why most projects do not even sign the release. Unfortunately, security is an afterthought for most software developers. If you don't sign your...