conex-nocryptoversion
Establish trust in community repositories
Conex is a utility for verify and attest release integrity and authenticity of community repositories through the use of cryptographic signatures (RSA-PSS-SHA256). It is based on the update framework, especially on their CCS 2010 paper, and adapted to the requirements of the opam repository.
The developer sign their release checksums and build instructions. A quorum (with a configurable threshold) of repository maintainers signs the package name to developer key relation. These repository maintainers are enrolled by a quorum of offline root keys.
The TUF spec has a good overview of attacks and threat model, both of which are shared by conex.
Author | Hannes Mehnert <hannes@mehnert.org> |
---|---|
License | BSD-2-Clause |
Published | |
Homepage | https://github.com/hannesm/conex |
Issue Tracker | https://github.com/hannesm/conex/issues |
Maintainer | Hannes Mehnert <hannes@mehnert.org> |
Dependencies | |
Source [http] | https://github.com/hannesm/conex/releases/download/0.10.0/conex-0.10.0.tbz sha256=536163045d3624009c4a2ec678a1b531be9485db233f5db43613b3809180a1a9 md5=39cdb4e3a550703e61b2f56d20323fdd |
Edit | https://github.com/ocaml/opam-repository/tree/master/packages/conex-nocrypto/conex-nocrypto.0.10.0/opam |
No package is dependent