| 1 |
On 17 July 2015 at 13:13, NP-Hardass <NP-Hardass@g.o> wrote: |
| 2 |
> Additionally, I feel that a signature is a means of acknowledging that |
| 3 |
> a package has been looked over, and that developer has stated that |
| 4 |
> they approve of the existing state |
| 5 |
|
| 6 |
|
| 7 |
That much is somewhat implied by a developer owning a commit. Because |
| 8 |
in git, single commits span multiple files. |
| 9 |
|
| 10 |
There's GIT_COMMITER and GIT_AUTHOR values in every commit. |
| 11 |
|
| 12 |
And a "Signature" is a digital proof that Joe Bloggs didn't forge a |
| 13 |
commit, label it "NP-Hardass" and push it on to some server pretending |
| 14 |
to be NP-Hardass. |
| 15 |
|
| 16 |
It might sound like a rubber stamping, but its no more rubber stamped |
| 17 |
than our current workflow where signature generation is automatic and |
| 18 |
having a signed manifest doesn't in fact mean it *has* been looked at, |
| 19 |
its only signing who touched it last. |
| 20 |
|
| 21 |
For NSA to break a Manifest, they'd need to update an entry and resign |
| 22 |
it, and then we could later work out who signed what manifests if we |
| 23 |
had any problem |
| 24 |
|
| 25 |
-- |
| 26 |
Kent |
| 27 |
|
| 28 |
KENTNL - https://metacpan.org/author/KENTNL |
Archives