On Tue, 2 Apr 2024, Ayesh Karunaratne wrote: > > What do y'all think about requiring GPG signed commits for the > > php-src repository? > > > > I had a look, and this is also something we can enforce through > > GitHub as well (by using branch protections). > > +1 from me as well, and quite good timing with all the xz fiasco just > last week. > > Git can also sign with SSH keys now, so this is now merely a config > update
The issue with SSH keys is that they can not be signed by others to form a "web of trust". For example, my key has been signed by several other people: https://keyserver.ubuntu.com/pks/lookup?search=derick%40php.net&fingerprint=on&op=index cheers, Derick