1 |
On 06/14/2018 08:26 PM, Thomas Deutschmann wrote: |
2 |
|
3 |
> GitHub's feature to display "verified" status has zero meaning for the |
4 |
> Gentoo project. We only trust our own key store. |
5 |
> |
6 |
> But this all doesn't matter: |
7 |
> GitLab for example offers a similar feature. I.e. you can add your |
8 |
> public key to your GitLab.com account like you did with your GitHub.com |
9 |
> account and GitLab will display the same "verified" indicator. |
10 |
|
11 |
I think I understand that viewpoint, but there's nuance: |
12 |
|
13 |
(it matters "more than zero", as you claimed) |
14 |
|
15 |
if proxy-maintainers or other contributors have no |
16 |
assurance that they aren't being impersonated, then |
17 |
a person in bad faith could spoof a submission. |
18 |
|
19 |
it's a matter of convenience for the committing dev |
20 |
to be able to verify my key was used for a commit. |
21 |
|
22 |
I'm aware that a gentoo developer who does the actual |
23 |
commit will use their own key for the commit which |
24 |
is entered into the proper git tree. |
25 |
|
26 |
It's still a matter of convenience. an assurance that |
27 |
there's some way which contributors can have "not zero" |
28 |
trust that a commit wasn't wrongly made on their behalf |
29 |
(malicious chain of custody on some level) |
30 |
|
31 |
(TIL - as you say, gitlab has this feature too. cool) |
32 |
|
33 |
--kuza |