Re: Re: Best practices for signature verifcation

[Eli Schwartz <eschwartz () gentoo org>]

On 12/30/25 7:27 PM, Ali Polatel wrote:

> signing yet again. This time, though, I decided to act on it. I wrote
> a clean Rust implementation of signify and called it signify-rs[3].
> It uses the same license (ISC) as the reference implementation. Code
> is free of unsafes and arithmetic side effects. No proc macros are used
> in the code or any dependencies making it static-linking friendly. It's
> fairly portable and passes tests on FreeBSD, NetBSD, Linux and Windows.
[...]>
> Sharing is caring, so here is the git[5] and CI[6]. CI saves
> static-linked signify binaries as build artifacts which gives
> an option to quickly test. Enjoy.

> [5]: https://git.sr.ht/~alip/signify
> [6]: https://builds.sr.ht/~alip/signify


This looks... slightly worrying to me. Is it called "signify" or
signify-rs"?

I assume the latter is a workaround for the fact that there's already a
semi-popular "clean rust" implementation that started life in 2016,
which owns the former name:

https://crates.io/crates/signify
https://github.com/badboy/signify-rs

So we have a venerable "signify-rs" repo that provides "signify", and a
new "signify" repo that provides "signify-rs". Which one to use?

It seems evident given you published as "signify-rs that you're aware of
the conflict, at least.


-- 
Eli Schwartz

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature