Comment by donaldstufft
1 year ago
The problem with TOFU is that it assumes long lived keys (itself a bad practice) OR it assumes that the end user will be fine with regular notices that the keys that have signed their packages have changed, and will be able to correctly differentiate false positives from real positives.
No comments yet
Contribute on Hacker News ↗