Do you have any examples of problems that this would have avoided (xz-utils isn't one - due to the way it's releases are done, it wouldn't be suitable for tag2upload)?
Scott K On June 24, 2024 6:36:59 PM UTC, Aigars Mahinovs <aigar...@gmail.com> wrote: >Signing something that you did not write and something that you don't read >is a bad security practice that exposes you to various attacks. > >Just because we have been doing this poor security practice for a long time >does not make it better. Now better methods are possible and we shouldn't >prevent them from being used just because we are used to the weaker >approach. > >On Mon, 24 Jun 2024, 18:34 Scott Kitterman, <deb...@kitterman.com> wrote: > >> >> None of that changes the fact that it's what they signed. Historically, >> the project has found that useful and I think it still is.