Hello Michael, On Mon 15 Jul 2019 at 01:16PM +02, Michael Kesper wrote:
> Nonetheless it seems to me you are moving from trusting local signing > to trusting upload by salsa, thereby making salsa more attractive for > attackers. I don't follow -- the git tag is PGP-signed, locally, by the uploader. Just like how they would PGP-sign, locally, the .dsc and .changes. -- Sean Whitton
signature.asc
Description: PGP signature
