Remix clone Hacker News

What is an example of something that would require "distributed signing"?

ilikebits 4 days ago | parent | next [-]

Our use case is customers who (1) want to use a managed cloud hosting service that we provide, but (2) are not willing to give us their signing keys. Our design allows them to keep all of their signing keys local to their environment.

To our knowledge, we have not found another provider who supports both of these requirements. It's not some amazing technical innovation, but it is one of those annoying paper cuts that builds up with all the others.

▲

benwilber0 4 days ago | parent | next [-]

> when we tried to use them in production at scale

Debian and Ubuntu have been using them in production and "at scale" for decades. What are the "sharp edges" that you're trying to solve?

	▲	ilikebits 4 days ago \| parent [-]
		That's true! The Debian and Ubuntu folks are also experts at this. In our experience, the sharp edges generally affect teams that don't have a lot of in-house expertise in this, and where release engineering is not a core engineering competency that they want to invest in.

▲

rlpb 4 days ago | parent | prev [-]

Signing an unsigned apt repository is about three gpg commands though. I don't see how this kind of thing requires a whole separate product.

	▲	ilikebits 4 days ago \| parent [-]
		Yeah, solving this locally for one repository definitely isn't that hard at all. Most of the features we're building become useful when you're trying to build CI integrations for a larger team while also complying with enterprise security requirements (e.g. audit logging, HSM key protections, etc.).

▲

4 days ago | parent | prev [-]

[deleted]