Are you an authority on this? Or just trying your hand at being pundit with an endless supply of unsubstantiated stop energy?
> I'm just pointing out that you can already construct a scheme with the same security properties as what you described.
No, you can't. You're writing as if the "you" here is the party in control of the service backend—the developer. That's not what this is about. This is about how you—the user—can trust that out of the n times you visited the site it didn't serve up tampered assets to backdoor the process. If this were about developers, we wouldn't be having this discussion; the developer doesn't need to request proof that he or she hasn't done any tampering to covertly introduce a backdoor.
> "GitLab/Mastodon/Whatever XX.x Released" seems to be just good enough.
I'm convinced at this point that either you're just responding without actually giving any consideration to the words coming from either one of us, or I'm having a frustrating exchange with a chatbot.
I'm the one who wrote that a release announcement on the project blog suffices to verify out-of-band that the user should expect the resources to change. You're the one who wrote this:
> Hashes of leaf resources would be embedded in parent resources up to the root document that you could announce out-of-band
So why are you now trying to explain to me that a release announcement blog post is "good enough"? Clearly if I didn't think so, I wouldn't have argued for it.
Are you an authority on this? Or just trying your hand at being pundit with an endless supply of unsubstantiated stop energy?
> I'm just pointing out that you can already construct a scheme with the same security properties as what you described.
No, you can't. You're writing as if the "you" here is the party in control of the service backend—the developer. That's not what this is about. This is about how you—the user—can trust that out of the n times you visited the site it didn't serve up tampered assets to backdoor the process. If this were about developers, we wouldn't be having this discussion; the developer doesn't need to request proof that he or she hasn't done any tampering to covertly introduce a backdoor.
> "GitLab/Mastodon/Whatever XX.x Released" seems to be just good enough.
I'm convinced at this point that either you're just responding without actually giving any consideration to the words coming from either one of us, or I'm having a frustrating exchange with a chatbot.
I'm the one who wrote that a release announcement on the project blog suffices to verify out-of-band that the user should expect the resources to change. You're the one who wrote this:
> Hashes of leaf resources would be embedded in parent resources up to the root document that you could announce out-of-band
So why are you now trying to explain to me that a release announcement blog post is "good enough"? Clearly if I didn't think so, I wouldn't have argued for it.
I won't be returning to this thread.