Signing something that you did not write and something that you don't read is a bad security practice that exposes you to various attacks.
Just because we have been doing this poor security practice for a long time does not make it better. Now better methods are possible and we shouldn't prevent them from being used just because we are used to the weaker approach. On Mon, 24 Jun 2024, 18:34 Scott Kitterman, <deb...@kitterman.com> wrote: > > None of that changes the fact that it's what they signed. Historically, > the project has found that useful and I think it still is.
