[Mailman-Developers] Signing commits with gpg
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Wed Oct 25 19:11:39 EDT 2017
On Wed 2017-10-25 18:14:23 +0200, Simon Hanna wrote:
> For me as a user it would be more interesting to have a verified
> release signed by one key that's static rather than a commit history
> that is signed by many different keys that I don't know.
this is not an "either/or" thing. it's a "both, and!" thing. software
provenance works at multiple levels, and for software that we care
about, we should have a cryptographic path on as many of them as
possible.
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: <http://mail.python.org/pipermail/mailman-developers/attachments/20171025/9552bcc7/attachment.sig>
More information about the Mailman-Developers
mailing list