The implementation we have in stack follows the plan in the
above-linked proposal pretty directly. Let me just flesh it out
The story still isn't complete: we have no way to verify that
the package author really is the person who uploaded the package.
Stay tuned to the upload/signature author work we're doing, which
will hopefully be available Real Soon Now(tm).
Do you like this blog post and need help with DevOps, Rust or functional programming? Contact us.