Hi
[Resending, because my mail server failed to look up php.net. It looks
good now, I apologize for duplicate copies.]
On 4/3/24 19:28, John Coggeshall wrote:
That's really unfortunate (why even bother). IMO without some sort of web of
trust verification process for GPG, this just feels like added barriers for no
actual win. In fact, if anything I think it's more likely to give the project a
false sense of security.
While it does not *prevent* any attacks, it possibly simplifies an
investigation:
For example: Did John Doe suddenly start signing with a new key? Or was
only a single commit signed with a different key?
If John uses a different key for each computer (e.g. one for the work
laptop and one for the private gaming computer), then the signature
possibly allows determining which machine was compromised.
These are useful signals to determine the possible scope of an attack.
Best regards
Tim Düsterhus
