Hi! > It's also hard to collect ALL the keys of the devs at any point in > time to decide if that key is authorized to sign a commit in the > repo...
We do have most of the keys in docs/share/pgpkeys/ plus history. > Like if a dev starts in 2021, any commits made by that > dev prior to 2021 should not be "valid".. Then there's also the > issue that people's keys change over time, and now you need to know > what time period each key was valid for, otherwise a compromised key > could be used to insert malicious changes into your/the tree... If we manage keys plus their history in the doc repo, this seems to be solved. -- p...@opsec.eu +49 171 3101372 Now what ? _______________________________________________ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
