On Thu, May 13, 2021 at 01:29:19PM -0700, dwh@xxxxxxxxxxxxxxxxxxx wrote: > 3. The key material used for identifying contributors needs to move into > the repos themselves for many reasons but the most important two > reasons are (1) the repo comes with all of the data necessary to > verify all of the digital signatures (i.e. solving the PKI problem > for a project) and (2) to track the provenance of the public keys and > other related data that each contributor uses. If Git repos contain > provenance logs that are controlled and maintained by each > contributor, those logs can also contain digital signatures over the > code of conduct and the developer certificate of origin and other > governing documents for a project that are legally binding (i.e. > follow eIDAS and other legal digital signature rules). Solving the > PKI problem alone makes digitally signing commits infinitely more > useful and will drive adoption. Solving the non-repudiable provenance > problem is the raison d'être of organizations like the Linux > Foundation. I think Git should align itself with where technology is > heading on that front. Dave: Check out what we're doing as part of patatt and b4: https://pypi.org/project/patatt/ It takes your keyring-in-git idea and runs with it -- it would be good to have your input while the project is still young and widely unknown. :) -K
