this repo has no description
anil.recoil.org
1opam-version: "2.0"
2homepage: "https://github.com/hannesm/conex"
3dev-repo: "git+https://github.com/hannesm/conex.git"
4bug-reports: "https://github.com/hannesm/conex/issues"
5doc: "https://hannesm.github.io/conex/doc"
6maintainer: ["Hannes Mehnert <hannes@mehnert.org>"]
7license: "BSD-2-Clause"
8
9build: [
10 ["dune" "subst"] {dev}
11 ["dune" "build" "-p" name "-j" jobs]
12]
13
14depends: [
15 "ocaml" {>= "4.03.0" & < "5.0.0"}
16 "dune"
17 "cmdliner"
18 "opam-file-format" {>= "2.0.0~rc2"}
19]
20synopsis: "Establish trust in community repositories"
21description: """
22Conex is a utility for verify and attest release integrity and authenticity of community repositories through the use of cryptographic signatures (RSA-PSS-SHA256). It is based on [the update framework](https://theupdateframework.github.io/), especially on their [CCS 2010 paper](https://isis.poly.edu/~jcappos/papers/samuel_tuf_ccs_2010.pdf), and adapted to the requirements of the [opam](https://ocaml.opam.org) [repository](https://github.com/ocaml/opam-repository).
23
24The developer sign their release checksums and build instructions. A quorum (with a configurable threshold) of repository maintainers signs the package name to developer key relation. These repository maintainers are enrolled by a quorum of offline root keys.
25
26The [TUF spec](https://github.com/theupdateframework/specification/blob/master/tuf-spec.md) has a good overview of attacks and threat model, both of which are shared by conex."""
27authors: "Hannes Mehnert <hannes@mehnert.org>"
28url {
29 src:
30 "https://github.com/hannesm/conex/releases/download/0.10.1/conex-0.10.1.tbz"
31 checksum: [
32 "sha256=8e92a9fce2133fa44f7d81211790e911a1e011a138ca56da48af50d612ed4b81"
33 "md5=1e09e8e28c4b26d5a22b3a5afd1fdc5c"
34 ]
35}