search

MinBZK / nl-wallet

NL Public Reference Wallet
https://edi.pleio.nl
Other
140 stars 18 forks source link

signing commits #6

Closed protocolpolice closed 3 months ago

protocolpolice commented 1 year ago

line: 107 "all commits should be signed using a GPG key"

question: why care and [exclude] non-pgp, the content of the code speaks for itself?

Potherca commented 5 months ago

Bruh, WTF?

protocolpolice commented 5 months ago

hey Ben,

whats up ?

i've missed the start ;)

rob

Op 15-04-2024 15:31 EDT schreef Ben Peachey @.***>:

Bruh, WTF?

— Reply to this email directly, view it on GitHub https://github.com/MinBZK/nl-wallet/issues/6#issuecomment-2057655119, or unsubscribe https://github.com/notifications/unsubscribe-auth/A34CHHHIOBDYKBXNOIP3QDTY5QTITAVCNFSM6AAAAAA2G4NWAOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDANJXGY2TKMJRHE. You are receiving this because you authored the thread.Message ID: @.***>

Potherca commented 5 months ago

Without further context the ticket body is significantly nonsensical.

Signing commits is common practice, GPG a common enough mechanism. SSH might be used, but what has any of this to do with letting "the content of the code" speak for itself?

The mind boggles. :face_with_spiral_eyes:

protocolpolice commented 5 months ago

..lol

the magic doesn't happen in the signing, it's what the code does ( ..or doesn't in the wallet's case )

you're looking at it from a dev or enduser viewpoint, the attackers won't

there's an elephant in the room, digital currency, sidetrack on collision course

Op 17-04-2024 04:26 EDT schreef Ben Peachey @.***>:

Without further context the ticket significantly nonsensical.

Signing commits is common practice, GPG a common enough mechanism. SSH might be used, but what has any of this to do with letting "the content of the code" speak for itself?

The mind boggles. 😵

— Reply to this email directly, view it on GitHub https://github.com/MinBZK/nl-wallet/issues/6#issuecomment-2060691345, or unsubscribe https://github.com/notifications/unsubscribe-auth/A34CHHGXXEZQMNBDG3GWTVLY5YW2PAVCNFSM6AAAAAA2G4NWAOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDANRQGY4TCMZUGU. You are receiving this because you authored the thread.Message ID: @.***>

confiks commented 3 months ago

I'm afraid I don't fully understand your question. This project uses GPG-signed commits in the private version of this repository (which is synced to the public repository roughly every three weeks) to maintain an audit log about who added which who code. We settled on GPG because at the time, SSH-key signed commits were not available yet; they were introduced a few months later.

Feel free to reopen if you have another question.