From 93633a5d623f6e5ba39dfc19cdbc7e03bf094045 Mon Sep 17 00:00:00 2001 From: Rasmus Dahlberg Date: Fri, 11 Jun 2021 14:11:36 +0200 Subject: fixed argument on end-user enforcement --- README.md | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 82896e1..40af295 100644 --- a/README.md +++ b/README.md @@ -25,13 +25,12 @@ repository misses a corresponding log entry by inspecting the log. The claim that the same binaries are published for everyone can be _verified_. Starting to apply the pattern of transparent logging is already an improvement -without any end-user enforcement. TODO: fixme. +without any end-user enforcement. It becomes easier to detect honest mistakes +and attacks against your website or package repository. -For example, binaries (maliciously signed or not) that have yet to be logged can -be detected by a monitor. To make the most out of siglog, end-users should -enforce public logging sometime in the future. This means that a binary in the -above example would be _rejected_ unless a corresponding signed checksum is -logged. Such enforcement will require a gradual roll-out to be realistic. +To make the most out of siglog in the future, end-users should start to enforce +public logging. This means that a binary in the above example would be +_rejected_ unless a corresponding signed checksum is publicly logged. ## Design considerations We had several design considerations in mind while developing siglog. A short -- cgit v1.2.3