Kurt Jaeger wrote this message on Wed, Dec 23, 2020 at 13:15 +0100: > Hi! > > > It's also hard to collect ALL the keys of the devs at any point in > > time to decide if that key is authorized to sign a commit in the > > repo... > > We do have most of the keys in docs/share/pgpkeys/ plus history. > > > Like if a dev starts in 2021, any commits made by that > > dev prior to 2021 should not be "valid".. Then there's also the > > issue that people's keys change over time, and now you need to know > > what time period each key was valid for, otherwise a compromised key > > could be used to insert malicious changes into your/the tree... > > If we manage keys plus their history in the doc repo, this seems > to be solved. The data is there, but are you going to write a tool such that it can be verified? Then you have the job of verifying the doc repo to make sure that the keys you have is valid, where does the root of trust come from there? Not saying it isn't possible, it's just a LOT of work to make it useful... -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not."Received on Tue Dec 29 2020 - 00:03:28 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:26 UTC