Comments (5)
Sure, though I don't know how to get started with that. Do you have any pointers?
from host-spawn.
I've looked into this, and I'm not exactly sure what kind of benefit would it provide over just compiling the application yourself if you do not trust the binaries.
Also, were I to set it up, I would use more sane tools like OpenBSD's signify or minisign, than the abomination that is PGP/GPG. Given that I don't know why you need signatures, I'm not even sure if you require any specific format or it would just be a lot of work that is ultimately not very useful.
Again, I'm just ambivalent about the idea, so I'd like to know more about your use case to form a plan of action.
from host-spawn.
I'm not familiar with signify or minisign but am willing to learn to use it if it's available in Fedora. That said, if there isn't demand for it, I'm OK just recompiling it myself for now and saving yourself the overhead. :) (But ideally, it'd be nice if either this gets packaged into Fedora or folded into toolbx.)
from host-spawn.
The overhead with minisign is pretty minimal, I'm just not sure what these signatures are supposed to defend against... ultimately I offer binaries to download, so you will still have to trust me, or Github Actions in this case, that they've not been tampered with.
BTW, there is an pending request from your colleague in #10 to adapt the code to be used in toolbx, but the discussion has stalled for the moment.
from host-spawn.
As is, one has to trust both you and GitHub (or that it hasn't been compromised). If the binaries are signed, one only has to trust you (which I already do, since I use your code :) ). But again, I'm OK recompiling from tags (though ideally, those would be signed too).
from host-spawn.
Related Issues (20)
- Split the code into a library and binary to enable toolbx integration HOT 3
- no output in pty mode if stdin is redirected
- Consider defaulting to `--no-pty` for some programs
- Add vendor tarball for releases HOT 2
- How to use HOT 6
- `-env` should only propagate env var if it's set
- Forward signals via HostCommandSignal HOT 2
- Recursive call when shim symlink is in PATH on host HOT 2
- The name org.freedesktop.Flatpak was not provided by any .service files HOT 2
- Dev Container initialization getting stuck with VSCode Flatpak + Podman
- request to submit to Flathub as an extension
- host-spawn doesn't terminate if pty is closed HOT 1
- Write better documentation HOT 2
- Does not work properly when used within Visual Studio Code HOT 5
- Create build script for targeting single architecture HOT 1
- Tags should have v prefix HOT 2
- Host `env` randomly breaks HOT 3
- xdg-open not working properly HOT 22
- RFE: Default to running shell if no command provided HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from host-spawn.