Several years ago, I put together a proof of concept for package dependency management that uses git with signature verification for more secure dependency management. Each dependency update is verified with each of the maintainer's key.
For reference, please visit: https://github.com/braydonf/gpk
The trick, you just need to have a git remote for ALL dependencies and have public keys for ALL maintainers. A registry for packages that support it would greatly help in that regard!
Decentralized software registries in Nostr?
Braydon Fuller
npub1r0u…zzyc
2024-01-29 23:55:30
Author Public Key
npub1r0ulywwu593kzjdu9uluxdq80t54n65kql9vl9z7lrutkgnachssk7zzycPublished at
2024-01-29 23:55:30Event JSON
{
"id": "f0db5561993e1d784674a181a6b1226518e29efde416797896e1e97383b33825",
"pubkey": "1bf9f239dca1636149bc2f3fc334077ae959ea9607cacf945ef8f8bb227dc5e1",
"created_at": 1706568930,
"kind": 1,
"tags": [
[
"r",
"https://github.com/braydonf/gpk"
]
],
"content": "Several years ago, I put together a proof of concept for package dependency management that uses git with signature verification for more secure dependency management. Each dependency update is verified with each of the maintainer's key.\n\nFor reference, please visit: https://github.com/braydonf/gpk\n\nThe trick, you just need to have a git remote for ALL dependencies and have public keys for ALL maintainers. A registry for packages that support it would greatly help in that regard!\n\nDecentralized software registries in Nostr?",
"sig": "38847bd3c4e638ce339ce775c1b4c23c8ec3fdfe29c032c71bcd6f6fc0d0bd1c5ac235cc7546277fd69bfb3d0143b377f6565ddec0d37dded8b120398a0597bb"
}