stf on Nostr: question, git commit signatures. why? who cares who signed it? what matters is the ...
question, git commit signatures. why? who cares who signed it? what matters is the contents! without rigorous checking of signatures & a proper infrastructure to actually distribute public keys, certify their authenticity, handle the key-lifecycle its just security larping. maybe in big projects this is good for delegating trust to sub-project maintainers, so the boss doesn't have to review commits, only sigs. but that's burocracy. jiatan would've signed their backdoors. so the question is why?
Published at
2025-02-19 14:02:55Event JSON
{
"id": "111604d2635038e96bf6deaf6368600cd58e24fe5ca47fe176c3f9f3cbff513d",
"pubkey": "b887bffcf63863763c712604944ba34cf6b4674aba9d9ad586fda383be9f07c8",
"created_at": 1739973775,
"kind": 1,
"tags": [
[
"proxy",
"https://chaos.social/users/stf/statuses/114030921378296286",
"activitypub"
]
],
"content": "question, git commit signatures. why? who cares who signed it? what matters is the contents! without rigorous checking of signatures \u0026 a proper infrastructure to actually distribute public keys, certify their authenticity, handle the key-lifecycle its just security larping. maybe in big projects this is good for delegating trust to sub-project maintainers, so the boss doesn't have to review commits, only sigs. but that's burocracy. jiatan would've signed their backdoors. so the question is why?",
"sig": "268072a168b84c6fe894848729b2356d33ec4656fc6d5f58eb49d2a3d02f671dbc8427212e3fe62a1f9063de68a6d69e81c52612ce4b79b37468174af11f8d17"
}
