On 9/19/22 04:52, Petr Pisar wrote: > V Fri, Sep 16, 2022 at 01:56:03PM -0400, Todd Zullinger napsal(a): >> Kevin Fenzi wrote: >>> On Fri, Sep 16, 2022 at 10:03:35AM +0200, Vít Ondruch wrote: >>>> Isn't peer review much better and easier solution over all? We could also >>>> require signed commits I guess. >>> >>> I think it would slow things down quite a lot to require peer review of >>> every commit. >>> >>> I'd personally like to avoid anything where we need to support gpg. >>> It's a mess and I think it would waste a lot of cycles explaining how to >>> use it or help people get setup. ;( If there's some easier/more clear >>> way to sign things that could be a option tho. >> >> Since git-2.34 (released in November of last year), ssh may >> be used for signing commits and/or pushes. That's likely a >> bit simpler than gpg. >> > Is administrating SSH keys any easier (for a packager and for Fedora > infrastructure) than PGP keys? Yes, it is. ssh-keygen -Y is much much simpler to use than gpg. Verifying SSH signatures does not expose Fedora servers to DoS attacks the way verifying PGP signatures would. And the same key can be used for both SSH and for signing, without creating security risks. Furthermore, OpenSSH supports using any FIDO2 token for key storage, not just more expensive PGP-capable tokens. -- Sincerely, Demi Marie Obenour (she/her/hers) _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
