On Mon, Mar 31 2025 at 08:09:49 PM +00:00:00, Zbigniew
Jędrzejewski-Szmek <zbys...@in.waw.pl> wrote:
OK, I guess I need to work on my English. You're the second person who
read the abovequoted part in the exact opposite way to what I
intended :(
Hm, well I misread. You didn't write the wrong thing.
But honestly I'm not sure that using an upstream GPG-signed tarball is
really more trustworthy than using a forge-generated tarball. The
question is: do I trust the upstream forge infrastructure more, or do I
trust the computers of the maintainers who have access to the GPG
signing key more? I think a compromise of GitHub infrastructure is less
likely than a compromise of an individual maintainer, so it really
probably does make sense to trust the forge.
--
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
