Comment by gruez

Comment by gruez 5 days ago

4 replies

View on Hacker News

PGP keys don't tell you anything about a developers "real identity". Theoretically theres some "web of trust", but realistically everyone just blindly downloads whatever PGP key is listed on the repo's install instructions.

brabel 5 days ago

Bullshit. The public key can be obtained by several easy means, like visiting the publisher website or social network site like GitHub which is common. That verifies the identity just as well as any certificate! But with much less trouble.

Reply View 3 replies
  • gruez 5 days ago

    How are you still missing the "real identity" part? A bitcoin address might be easily verifiable, but isn't anyone's idea of "real identity".

    Reply View 1 reply
    • brabel 4 days ago

      Real identity is impossible to establish beyond any doubt, and a certificate is no better than a key on a website, in fact it's essentially the exact same thing.

      Reply View 0 replies
  • [removed] 5 days ago
    [deleted]
    Reply View 0 replies