search

lcobucci / jwt

A simple library to work with JSON Web Token and JSON Web Signature
https://lcobucci-jwt.readthedocs.io/en/stable/
BSD 3-Clause "New" or "Revised" License
7.29k stars 597 forks source link

Drop commit signing requirement #1078

Open Slamdunk opened 5 hours ago

Slamdunk commented 5 hours ago

From https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification

Using GPG, SSH, or S/MIME, you can sign tags and commits locally. These tags or commits are marked as verified on GitHub so other people can be confident that the changes come from a trusted source.

This is questionable and misleading: for the source to be trusted, you need to trust the signing key. In computer science, distributed trust systems have never proved to be easier/better than central authorities. I'm not saying central authorities can be trusted by default, just that it's easier.

As of today, GPG key trust systems are less reliable than a central authority like GitHub (i.e. https://github.com/lcobucci.gpg), but if it's so there's no point and only hurdles to have GPG signing checks in place.

Not being able to merge simple PRs like https://github.com/lcobucci/jwt/pull/1077 from GitHub itself makes me almost useless as a Collaborator

Ocramius commented 3 hours ago

I'd be happy to keep just the tags signed: those should be, IMO, and the release automation can do it for us.