[META] I love how an implementation of PGP doesn't require contributors to sign commits

[danhab99]

Not a criticism

Not shade

Just a funny observation

[twiss]

Hey 👋 Yeah, I agree it's somewhat ironic, however, consider that when merging PRs, the commit is signed by GitHub - so as long as we're doing that, we're implicitly trusting GitHub, anyway. All code is reviewed before it's merged - the only way PGP signatures would make this more secure is if we would merge locally, sign the merge commit locally, and not use GitHub's merge feature. This would probably be a pretty big overhead, and it's disputable whether it would be worth it - but it's something to think about indeed.

[RA80533]

Hey, @twiss, I think you should, at the very least, look into requiring signed commits for commits made directly to the main branch. Attribution of unsigned commits can be easily spoofed (see 3fa29f3).

I notice that you do not have a GPG key attached to your account so you're unable to personally take advantage of GitHub's vigilant mode but I would also recommend that you look into setting up one to take advantage of the additional security mechanisms that would be available.

[larabr]

Hey @RA80533 , what kind of attacks do you want to protect against?
Note that committing to master is restricted, and we are already trusting GitHub when merging PRs, as mentioned.