Open heri16 opened 5 years ago
All commits pushed to GitHub should be cryptographic signed by the developer PGP keys that are published on Keybase.io .
This should apply to all contributors as standard Git commits are inherently weak against identity spoofing / impersonation.
The Heartbleed Openssl incident teaches us that it would be bad if we could not trace exactly who made the changes that led to the vulnerability.
See: https://help.github.com/articles/signing-commits/
Decided to use codesign feature of https://github.com/kryptco/kr for better security of PGP keys and easier developer setup.
Description
All commits pushed to GitHub should be cryptographic signed by the developer PGP keys that are published on Keybase.io .
This should apply to all contributors as standard Git commits are inherently weak against identity spoofing / impersonation.
The Heartbleed Openssl incident teaches us that it would be bad if we could not trace exactly who made the changes that led to the vulnerability.
See: https://help.github.com/articles/signing-commits/