Hey List, Hey Derick Am 02.04.24 um 16:15 schrieb Derick Rethans:
Hi,What do y'all think about requiring GPG signed commits for the php-src repository?
In general I think it is a good idea to do GPG signed commits. But in terms of security the idea is to be able to authenticate a user. But the only thing we truly and reliably can do is connect a github account to a commit. Whether that commit author is actually Jane Doe or Karl Napp is still not necessarily proven.
So if we want to make sure that something like XY doesn't happen, we have to add some additional restrictions to those GPG keys.
If it is just to have signed commits: I am absolutely in favour. Cheers Andreas -- ,,, (o o) +---------------------------------------------------------ooO-(_)-Ooo-+ | Andreas Heigl | | mailto:andr...@heigl.org N 50°22'59.5" E 08°23'58" | | https://andreas.heigl.org | +---------------------------------------------------------------------+ | https://hei.gl/appointmentwithandreas | +---------------------------------------------------------------------+ | GPG-Key: https://hei.gl/keyandreasheiglorg | +---------------------------------------------------------------------+
OpenPGP_signature.asc
Description: OpenPGP digital signature