Replies: 1 comment 2 replies
-
Hey 👋 Yeah, I agree it's somewhat ironic, however, consider that when merging PRs, the commit is signed by GitHub - so as long as we're doing that, we're implicitly trusting GitHub, anyway. All code is reviewed before it's merged - the only way PGP signatures would make this more secure is if we would merge locally, sign the merge commit locally, and not use GitHub's merge feature. This would probably be a pretty big overhead, and it's disputable whether it would be worth it - but it's something to think about indeed. |
Beta Was this translation helpful? Give feedback.
2 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Not a criticism
Not shade
Just a funny observation
Beta Was this translation helpful? Give feedback.
All reactions