- From: cynthia <notifications@github.com>
- Date: Wed, 27 Sep 2017 06:25:41 -0700
- To: w3ctag/design-reviews <design-reviews@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Wednesday, 27 September 2017 13:26:05 UTC
> Signing content dynamically on the server seems to substantially reduce the guarantees the signature provides. I'm sure there are valid use cases for that kind of setup, but, again, it's not the use case we're targeting. I believe if you have a CI that automates building and deploying to a staging server that is a exact replica of the production, and you take the built package straight to production if everything works in staging, you would want your CI server to sign it for simplified deployment. (given that the CI server has decent policies blocking private key access, this probably is not too likely to happen in the real world though.) -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3ctag/design-reviews/issues/186#issuecomment-332519628
Received on Wednesday, 27 September 2017 13:26:05 UTC