Hi! > It's also hard to collect ALL the keys of the devs at any point in > time to decide if that key is authorized to sign a commit in the > repo... We do have most of the keys in docs/share/pgpkeys/ plus history. > Like if a dev starts in 2021, any commits made by that > dev prior to 2021 should not be "valid".. Then there's also the > issue that people's keys change over time, and now you need to know > what time period each key was valid for, otherwise a compromised key > could be used to insert malicious changes into your/the tree... If we manage keys plus their history in the doc repo, this seems to be solved. -- pi_at_opsec.eu +49 171 3101372 Now what ?Received on Wed Dec 23 2020 - 11:15:14 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:26 UTC