Oddbean new post about | logout
sommerfeld | 6 months ago (raw) | export | reply | flag +6 
 How pgp is used to very software binaries: blindly trust and import the gpg public key that we show next to the same place you are downloading the binaries.
nostr + WoT fixes this.
franzap | 6 months ago (raw) | root | parent | reply | flag 
 🎯

nostr:note1z4cx6rtq54758r8zd3w6j0mkxjjlp2hekzz4cpckcsz049p3pg0qy8sggt
waxwing | 6 months ago (raw) | root | parent | reply | flag 
 But WoT exists in gpg? It isn't very widely used, in practice, but it has to at least be mentioned that it does work.

 ... In what sense might nostr combined with WoT fix it? Because a lot more people will have keypairs I guess?
sommerfeld | 6 months ago (raw) | root | parent | reply | flag 
 Yes. I see nostr as enhanced pgp with easier social UX. We just need to get the tooling right for this specific use case.
matt | 6 months ago (raw) | root | parent | reply | flag +1 
 So un-widely-used that the JoinMarket release singing PGP keys haven’t signed each other :)
sommerfeld | 6 months ago (raw) | root | parent | reply | flag 
 You should do that?
waxwing | 6 months ago (raw) | root | parent | reply | flag 
 It's rare that someone posts something on the internet that actually embarrasses me, so congrats on that, 😄
waxwing | 6 months ago (raw) | root | parent | reply | flag 
 Actually both that example, as well as the xkcd posted here, remind me of the really big problem - the bar you try to set very high for signing a key, resulting in keys just ... not getting signed. Still, all the same ...
DanConwayDev | 6 months ago (raw) | root | parent | reply | flag 
 This (releases) is on the roadmap for gitworkshop.dev.
Would you like to collaborate on the details?
sommerfeld | 6 months ago (raw) | root | parent | reply | flag 
 I have so many questions, but yes!