On 17 July 2015 at 13:13, NP-Hardass <np-hard...@gentoo.org> wrote: > Additionally, I feel that a signature is a means of acknowledging that > a package has been looked over, and that developer has stated that > they approve of the existing state
That much is somewhat implied by a developer owning a commit. Because in git, single commits span multiple files. There's GIT_COMMITER and GIT_AUTHOR values in every commit. And a "Signature" is a digital proof that Joe Bloggs didn't forge a commit, label it "NP-Hardass" and push it on to some server pretending to be NP-Hardass. It might sound like a rubber stamping, but its no more rubber stamped than our current workflow where signature generation is automatic and having a signed manifest doesn't in fact mean it *has* been looked at, its only signing who touched it last. For NSA to break a Manifest, they'd need to update an entry and resign it, and then we could later work out who signed what manifests if we had any problem -- Kent KENTNL - https://metacpan.org/author/KENTNL
