On Mon, 29 Mar 2021, 02:30 Rasmus Lerdorf, <ras...@lerdorf.com> wrote:
> On Sun, Mar 28, 2021 at 17:15 Sara Golemon <poll...@php.net> wrote: > > > On Sun, Mar 28, 2021 at 6:57 PM Paul Crovella <paul.crove...@gmail.com> > > wrote: > > > >> You might consider requiring commits be signed while you're at it. > >> > >> > > I suggested this as well, and even if we don't require it, we should > > STRONGLY encourage it. > > > > I've been signing my commits for several years now, it's not even that > > hard. > > > I think for php-src commits we can require it. For doc and other repos we > can make it optional for now until people are more comfortable with it. > Hey Rasmus, This is a good compromise. However, if you leave phpweb repo without signed commits then we're at risk from XSS or similar attacks still, and the surface area is really big because literally everyone is accessing the site. Many thanks, Paul > -Rasmus >
