On Wed, Sep 14, 2022 at 2:07 PM Ulrich Drepper wrote:
> On Wed, Sep 14, 2022 at 1:31 PM Richard Biener
> wrote:
>
>> How does this improve supply chain security if the signing happens
>> automagically rather than manually at points somebody actually
>> did extra verification?
>
>
> It works only
On Wed, Sep 14, 2022 at 1:31 PM Richard Biener
wrote:
> How does this improve supply chain security if the signing happens
> automagically rather than manually at points somebody actually
> did extra verification?
It works only automatically if you have ssh-agent (and/or gpg-agent)
running. I
On Wed, Sep 14, 2022 at 01:31:06PM +0200, Richard Biener via Gcc wrote:
> How does this improve supply chain security if the signing happens
> automagically rather than manually at points somebody actually
> did extra verification? That is, what's the attack vector this helps with?
>
> What's the
On Wed, Sep 14, 2022 at 11:12 AM Ulrich Drepper via Gcc wrote:
>
> For my own projects I started /automatically/ signing all the git commits.
> This is so far not that important for my private projects but it is
> actually important for projects like gcc. It adds another layer of
> security to th
On Wed, 14 Sept 2022 at 10:12, Ulrich Drepper wrote:
> The key creation ideally is a one-time effort. The git configuration is
> for everyone using the gcc git tree a once-per-local-repository effort (and
> can be scripted, the gcc repo could even contain a script for that).
No opinion yet on the
For my own projects I started /automatically/ signing all the git commits.
This is so far not that important for my private projects but it is
actually important for projects like gcc. It adds another layer of
security to the supply chain security.
My shell prompt (as many other people's as well)
