undefined | Better HN

0 pointsprogbits2y ago0 comments

> Getting punched in the face is actually a necessary human condition for a healthy civilization.

Aside from signed commits, we need to bring back GPG key parties and web of trust. When using a project you would know how many punches away from the committers you are.

0 comments

woodruffw2y ago

PGP is more famous for "web of trust" topologies, not chains of trust.

For all of their nerd cred, key parties didn't accomplish very much (as evidenced by the fact that nothing on the Internet really broke when the WoT imploded a few years ago[1]). The "real" solution here is mostly cultural: treating third-party software like the risky thing it actually is, rather than a free source of pre-screened labor.

[1]: https://inversegravity.net/2019/web-of-trust-dead/

weinzierl2y ago

Yes, but there was also little pressure to really build the WOT. People, like myself, did it because it was fun, but no one really relied on it. This could change, but it is still far from certain if it'd work given enough pressure.

progbitsOP2y ago

Chain/web was typo, corrected, thanks.

I know of the key party issues. But there is some value to knowing how far removed from me and people I trust the project authors are.

woodruffw2y ago

> But there is some value to knowing how far removed from me and people I trust the project authors are

That's true!

msm_2y ago

Nowadays i achieve this with linkedin[1] connections. Less nerd cred, but achieves roughly the same purpose (most of the people I care about in my niche are at most a 3rd degree connection - a friend of a friend of a friend).

[1] formerly also twitter, at least partially.

EthanHeilman2y ago

The web of punches?

j / k navigate · click thread line to collapse