| 1 |
On 06/14/2018 08:26 PM, Thomas Deutschmann wrote: |
| 2 |
|
| 3 |
> GitHub's feature to display "verified" status has zero meaning for the |
| 4 |
> Gentoo project. We only trust our own key store. |
| 5 |
> |
| 6 |
> But this all doesn't matter: |
| 7 |
> GitLab for example offers a similar feature. I.e. you can add your |
| 8 |
> public key to your GitLab.com account like you did with your GitHub.com |
| 9 |
> account and GitLab will display the same "verified" indicator. |
| 10 |
|
| 11 |
I think I understand that viewpoint, but there's nuance: |
| 12 |
|
| 13 |
(it matters "more than zero", as you claimed) |
| 14 |
|
| 15 |
if proxy-maintainers or other contributors have no |
| 16 |
assurance that they aren't being impersonated, then |
| 17 |
a person in bad faith could spoof a submission. |
| 18 |
|
| 19 |
it's a matter of convenience for the committing dev |
| 20 |
to be able to verify my key was used for a commit. |
| 21 |
|
| 22 |
I'm aware that a gentoo developer who does the actual |
| 23 |
commit will use their own key for the commit which |
| 24 |
is entered into the proper git tree. |
| 25 |
|
| 26 |
It's still a matter of convenience. an assurance that |
| 27 |
there's some way which contributors can have "not zero" |
| 28 |
trust that a commit wasn't wrongly made on their behalf |
| 29 |
(malicious chain of custody on some level) |
| 30 |
|
| 31 |
(TIL - as you say, gitlab has this feature too. cool) |
| 32 |
|
| 33 |
--kuza |
Archives