Simon Josefsson simon@josefsson.org writes:
I added this idea here:
Thanks, I've commented on the issue.
You mentioned an archival service, what is that?
I didn't have any particular service in mind, just the abstract thing of somewhere where key owner is authorized to upload data, and where data is properly backed up and/or mirrored, unlikely to disappear, and available to the public.
One idea is to recommend people to get things archived into the Software Heritage:
I'm not familiar with software heritage. I imagine an archive where random users can upload stuff will have its own set of complications, including some procedure to unpublish stuff for legal reasons. But at least, those issues are different from hosting a public sigsum log, which is why separation makes sense to me.
I think it's also worth noting that if you sigsum log a claim that an artifact with a given hash is reproducibly built from some recipe (repo, git tag, toolchain version etc) it's not strictly necessary to put the artifact itself into a reliable archive service.
Regards, /Niels