Kevin Fenzi wrote: > On Fri, Sep 16, 2022 at 10:03:35AM +0200, Vít Ondruch wrote: >> Isn't peer review much better and easier solution over all? We could also >> require signed commits I guess. > > I think it would slow things down quite a lot to require peer review of > every commit. > > I'd personally like to avoid anything where we need to support gpg. > It's a mess and I think it would waste a lot of cycles explaining how to > use it or help people get setup. ;( If there's some easier/more clear > way to sign things that could be a option tho. Since git-2.34 (released in November of last year), ssh may be used for signing commits and/or pushes. That's likely a bit simpler than gpg. On the other hand, if it's cached by ssh-agent and/or uses the same key used to connect to dist-git, it might not add as much to the security as we might want. But it may be an option, in case it spurs anyone to come up with a change which improves security and doesn't add too much additional burden. You mentioned ecdsa-sk / ed25519-sk FIDO authenticator algorithms earlier. Git ssh-signed commit/push might be useful if/when other parts of our infrastructure can make use of those key types. -- Todd
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
