<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
<br>
<div class="moz-cite-prefix">Le 07/10/2016 à 09:41, Brian Candler a
écrit :<br>
</div>
<blockquote
cite="mid:8bba5bbd-61b6-f001-fde5-4ec18d8984f8@pobox.com"
type="cite"><br>
I can't see any way in which adding plugin signatures to pass
itself is helpful. How are you going to choose which signatures to
trust? Either pass is hard-coded with a list of trusted plugin
authors, or you have to add the author keys too. In which case
this is no better than either of the previous options.
</blockquote>
<br>
<br>
My message was to introduce signing for trust. It happens
effectively somewhat in .deb packages (it could be other examples of
course).<br>
<br>
Web of trust, is a way to delegate trust to other people in whom you
trust, as far as I know. It was introduced long time ago in GPG, for
example. You need to meet the person physically to fully trust
his/her key.<br>
<br>
So by following the links of trusted signatures you may, or may not,
arrive to trust a plugin using your own keyring.<br>
<br>
I don't know if it is needed here for pass, but the subject has been
mentioned earlier in the link I posted. May be not on that form, but
as more and more really good plugin arrive it could be interesting
to think about that.<br>
<br>
The custom subcommands is really pleasing concept, and I was
thinking loud how, and if, it needs to be achieved by signing custom
scripts.<br>
<br>
I'm also interested of how a "community trust" of signed keys could
behave, as it's also developed in <a href="https://en.duniter.org/">free
money software</a>.<br>
<br>
Regards,<br>
Sylvain.<br>
<pre class="moz-signature" cols="72">--
Sylvain Viart - DevOps système linux - freelance developer</pre>
</body>
</html>