Want to create an interactive transcript for this episode?
Podcast: Chaos Computer Club - recent audio-only feed
Episode: Verification of OS artifacts without stateful keyrings (asg2025)
Description: Many OS artifacts today are still verified using proprietary, stateful keyring formats.
With the "File Hierarchy for the Verification of OS Artifacts (VOA)" an attempt is made to rid the ecosystem of this limitation by implementing a generic lookup directory.
With extensibility in mind, this unifying hierarchy currently provides integration for OpenPGP, with further integrations in planning.
While working on improvements to the [ALPM](https://alpm.archlinux.page) ecosystem, the way packages and other OS artifacts are currently verified on Arch Linux has been evaluated.
Noticing the extensive vendor lock-in to GnuPG and with today's widespread availability of [Stateless OpenPGP...