1 |
On 17 July 2015 at 13:13, NP-Hardass <NP-Hardass@g.o> wrote: |
2 |
> Additionally, I feel that a signature is a means of acknowledging that |
3 |
> a package has been looked over, and that developer has stated that |
4 |
> they approve of the existing state |
5 |
|
6 |
|
7 |
That much is somewhat implied by a developer owning a commit. Because |
8 |
in git, single commits span multiple files. |
9 |
|
10 |
There's GIT_COMMITER and GIT_AUTHOR values in every commit. |
11 |
|
12 |
And a "Signature" is a digital proof that Joe Bloggs didn't forge a |
13 |
commit, label it "NP-Hardass" and push it on to some server pretending |
14 |
to be NP-Hardass. |
15 |
|
16 |
It might sound like a rubber stamping, but its no more rubber stamped |
17 |
than our current workflow where signature generation is automatic and |
18 |
having a signed manifest doesn't in fact mean it *has* been looked at, |
19 |
its only signing who touched it last. |
20 |
|
21 |
For NSA to break a Manifest, they'd need to update an entry and resign |
22 |
it, and then we could later work out who signed what manifests if we |
23 |
had any problem |
24 |
|
25 |
-- |
26 |
Kent |
27 |
|
28 |
KENTNL - https://metacpan.org/author/KENTNL |