by jgarzik on 11/29/14, 4:38 PM with 0 comments
Modern operating systems send binaries (packages) inside a digital signature chain of trust. If you download a secure operating system the first time, the system can then maintain a chain of trust to ensure future upgrades are digitally signed to be from Apple, Microsoft, Canonical (Ubuntu), etc.
The world needs the same level of trust for browser JS code. How to lasso the current JS world into a secure envelope, that is (for open source projects) verifyable from a PGP-signed git commit all the way through to the end user browser?
Anybody working on that?