On 20/02/2020 21:35, Schulman, Andrew via cygwin-apps wrote:
Thanks!
I was just sitting here thinking about the merits of verifying a new
key request like that by some kind of secure signature system, versus
just posting the request on a public mailing list, and having a human
acknowledge to the developer's previously known email address. I have
to say, I can't see much more security benefit from the first method,
that would justify the extra hassle. The second method is pleasantly
simple.
Yeah, it would be nice to have something like SSKM [1], but our gitolite
usage is sufficiently non-standard that would need some hacking on to fit.
And that doesn't help with initial keys, and people who've lost their
key (who we're presumably going to trust an email from), so given the
small number of keys we're dealing with, it's hard to see it's worth the
effort.
[1] https://gitolite.com/gitolite/contrib/sskm.html
