On 14.05.2021 09:45, Konstantin Ryabitsev wrote:
As you know, this is my third attempt at getting patch attestation off the
ground.
Yes, I've been following. It's been a long road.
I'm hoping that this version resolves the downsides of the previous two
attempts by both being dumb and simple and by only requiring a simple one-time
setup (via the sendemail-validate hook) with no further changes to the usual
git-send-email workflow after that.
I'm very interested in whether this one works. You and I are completely
aligned on this. I don't think I'm paying enough attention to the
emailed patch attestations as you have. I think I understand the
requirements but maybe not all of them. Do you have any threads on
public-inbox where you discuss them? I want to make sure that what I'm
doing doesn't undermine anything you're trying to do. The end goal is to
have an air-tight provenance on all contributions and
accountable/audtiable software supply chain. We're all working towards
that.
I've not yet widely promoted this, as patatt is a very new project, but I'm
hoping to start reaching out to people to trial it out in the next few weeks.
Hopefully this approach strikes the right balance.
Cheers!
Dave
