adding more specific verification instructions #878
Closed
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
need to verify fingerprints are authentic by comparing them in multiple places
|
Makes sense to me, the instructions for verifying signatures are somewhat vague as-is. |
|
intended or not, this enshrines the for-profit social construct NAK |
|
ACK |
stickies-v
reviewed
Nov 30, 2022
There was a problem hiding this comment.
Concept ACK, but I would:
- add the extra trustworthiness verification instructions at the end of the paragraph, instead of at the beginning
- rationale: these instructions are mostly aimed at people unfamiliar with the process, and the process can already be intimidating (or appear too much hassle) as is. Imo it's a big win already if people start out with just getting keys from
builder-keys. Then, when that all worked, they can (but if they don't, they're still much better off than not verifying at all) increase their trust in the keys by looking at other platforms etc). I can imagine that when some people read these extended instructions, they would just not verify at all because they don't know (or don't want to spend the time to investigate) what trustworthy websites are and therefore assume the whole thing is pointless.
- rationale: these instructions are mostly aimed at people unfamiliar with the process, and the process can already be intimidating (or appear too much hassle) as is. Imo it's a big win already if people start out with just getting keys from
- in addition to looking at trustworthy websites, suggest comparing fingerprints with people they trust
maflcko
reviewed
Jan 5, 2023
| @@ -95,8 +95,7 @@ obtain_release_key: > | |||
| key using this command:</p> | |||
|
|
|||
| choosing_builders: > | |||
| It is recommended that you choose a few individuals from this list who you find | |||
| trustworthy and import their keys as above, or import all the keys per the | |||
| It is recommended that you choose a few individuals from this list whose fingerprints you have confirmed to be authentic by comparing them on multiple trustworthy websites and import their keys as above, or import all the keys per the | |||
| instructions in the <a href="$(BUILDER_KEYS_URL)"><code>contrib/builder-key</code> | |||
| README</a>. You will later use their keys to check the signature attesting to the | |||
There was a problem hiding this comment.
This file no longer exits. It might be better to directly link to the guix attestations repo and explain that each release is signed by a different set of builders. For example the 23.1 one is signed by https://github.com/bitcoin-core/guix.sigs/tree/main/23.1
|
Are you still working on this? |
|
Another friendly ping, especially for updating the URL pointing to the builder keys as it's confusing users. |
Merged
|
Incorporated into new PR: #964 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
need to verify fingerprints are authentic by comparing them in multiple places