Maybe don't auto-generate keys? #22

michaelpj · 2022-11-01T14:50:32Z

Given that

There is a command to create keys
There is a way to build without keys
Building with a freshly created set of keys is rarely what you want

I think it would be reasonable to not automatically generate keys. It mostly makes it easier to do 3 by accident, which is rarely what you want.

michaelpj · 2022-11-01T14:53:47Z

Brainstorming: perhaps we should flip the polarity and not sign by default, unless you explicitly say to do so.

Then we'd want a way to prevent people from forgetting, maybe we want a repo.toml in the root that specifies whether the repo is supposed to be secure or not. Then it's all very explicit.

andreabedini · 2022-11-02T09:45:13Z

perhaps we should flip the polarity and not sign by default, unless you explicitly say to do so.

I think this is a good idea. To be fair, I thought signatures were required when I first started working on this.

andreabedini · 2022-11-04T02:48:20Z

@michaelpj see #23

bgamari · 2023-03-21T13:48:08Z

Yes, I agree that automatic key generation should not be enabled by default. This behavior has lead to some very surprising bugs in my experience.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Maybe don't auto-generate keys? #22

Maybe don't auto-generate keys? #22

michaelpj commented Nov 1, 2022

michaelpj commented Nov 1, 2022

andreabedini commented Nov 2, 2022

andreabedini commented Nov 4, 2022

bgamari commented Mar 21, 2023 •

edited

Maybe don't auto-generate keys? #22

Maybe don't auto-generate keys? #22

Comments

michaelpj commented Nov 1, 2022

michaelpj commented Nov 1, 2022

andreabedini commented Nov 2, 2022

andreabedini commented Nov 4, 2022

bgamari commented Mar 21, 2023 • edited

bgamari commented Mar 21, 2023 •

edited