Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:122912 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5]) by qa.php.net (Postfix) with ESMTPS id 4A0CB1A009C for ; Wed, 3 Apr 2024 17:28:57 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1712165365; bh=oLjYnbMFiTFqGgKLB1taVvqAWPvK+y+uigYUJdEspAg=; h=Date:From:To:Cc:In-Reply-To:References:Subject:From; b=c9wojsjei07gps4W5GPsi6RF0aPGvxMncPSHbEuBBhwmJD5hxDvckS0hmTzfN41CL r2jBqE54l5xJICKrmIF7KYuqkLfyL1Z1aEf37KoHf9ia/lu83C45SUurftiN0K09yF f0eqsL20C/BhurtugCeJXxE4nkwoee06TCjR243pj9hIVnOdRiaIVYX/1ZYuObODwR JWiY2zcbklnQ3dX7oIl672Up7l07v8D8oyqHsFP7RoWtTEp5Eu7t5DSyer1S1eIPDS E4f16eX/kpnU2Vo/yp8HFkqAXk2GnSbOvIkrajIaEebQWhRQSN9BMZbGqI3Cb4WSWH YmViXpAVe0gdg== Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id E7C081801DB for ; Wed, 3 Apr 2024 17:29:24 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net X-Spam-Level: * X-Spam-Status: No, score=1.0 required=5.0 tests=BAYES_50,DKIM_SIGNED, DKIM_VALID,DMARC_MISSING,HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE, T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=4.0.0 X-Spam-Virus: No X-Envelope-From: Received: from mail-oi1-f173.google.com (mail-oi1-f173.google.com [209.85.167.173]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Wed, 3 Apr 2024 17:29:24 +0000 (UTC) Received: by mail-oi1-f173.google.com with SMTP id 5614622812f47-3c5117460b4so754029b6e.2 for ; Wed, 03 Apr 2024 10:28:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coggenterprises-com.20230601.gappssmtp.com; s=20230601; t=1712165335; x=1712770135; darn=lists.php.net; h=mime-version:subject:references:in-reply-to:message-id:cc:to:from :date:from:to:cc:subject:date:message-id:reply-to; bh=oLjYnbMFiTFqGgKLB1taVvqAWPvK+y+uigYUJdEspAg=; b=I3zsW7Q6LHxS1lJElIlMVU6XuDueFsuiBuqqn9LqSEko6dAoQ2WfvAMxcXj0GmMnAf fM2fuRLOgqbyoTmS3Fa3Nu+2TnMsPbpzGDwx9emmgLTS13BckJ6HrzYPQQM8XWg8/uZR Ya1HrElI+4WTnMZ6Hz+p61XW9dpCJPh8o5/jUldlPCdI2JqReJc48qXwvDGP+SbWcGdM UT06Ve+gFgpJZpToh4DB+WwzgyAQNDob2D2HEh6EEMNCojZQxfBFfy5HAri+0GbHfLUK /Ixf89miRw5VO/kmKxAOX/XkCUi0EyaaApl9pq2qZ9fw0PAAOPXn8il8w92pKp8I09m+ xl7g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712165335; x=1712770135; h=mime-version:subject:references:in-reply-to:message-id:cc:to:from :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=oLjYnbMFiTFqGgKLB1taVvqAWPvK+y+uigYUJdEspAg=; b=lboTolRipDc+3KxgoaAqDrBy85JHySQ8kS2TXdr+2g/vt7jGa/fBcO4kUHcUasiY7k IVism4I5P6MGav96HjDW2EPTBpKd38Vj3T2RnYN9kS8AvW7d8nGTaAjXvJXJYyrDdGNj Dz0s/VRhEJJlEaubhRBSxC2g2M9ihjEkCr0xGyD9CjOLYQVkXEDCm8y10lbOHcvrYwld ftnuHJerfXL0BpAqr5d81I3HjMP/gYkmSMpXSoKAFAsWS/nI44pTaxYO3XPrpFu9Xy8m xjQulOPiyEFsBzvPK+BH2eOpbKDJCWGQ7ypiCQMenZR9DmqvYZKQd4Bsg6sfiGSNdY7D +Tjg== X-Gm-Message-State: AOJu0YzvKbcpLL/FW7Vr2EDw/JVTIQAny+0hiRez+bPgAQjAxJ4X6JIw D+uUJYeicCSCM6FX8hfqbumMkCL4dz5Y6tDR58tKN11zF4HxbVlWUjHtTBEQwZ7TQWJ4LsIO0ma 4 X-Google-Smtp-Source: AGHT+IFEzrI1veA+76CYEVNHJ0iCXJMYCsoxwOVTRzVk0iz4ZbFVek/cBA3I0jN/hx/zP0j7ZjJtKA== X-Received: by 2002:a05:6808:640f:b0:3c4:f67f:d858 with SMTP id fg15-20020a056808640f00b003c4f67fd858mr154652oib.15.1712165334950; Wed, 03 Apr 2024 10:28:54 -0700 (PDT) Received: from Johns-MacBook-Pro-2.local ([129.222.79.220]) by smtp.gmail.com with ESMTPSA id j15-20020a54480f000000b003c4e106138csm1693941oij.41.2024.04.03.10.28.54 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 03 Apr 2024 10:28:54 -0700 (PDT) Date: Wed, 3 Apr 2024 12:28:53 -0500 To: Derick Rethans Cc: "=?utf-8?Q?internals=40lists.php.net?=" Message-ID: <87FFF397-EAAC-4B1B-8F5B-937F084368BD@getmailspring.com> In-Reply-To: <8caff876-0995-3a57-dd87-791c83881312@php.net> References: <8caff876-0995-3a57-dd87-791c83881312@php.net> Subject: Re: [PHP-DEV] Requiring GPG Commit Signing X-Mailer: Mailspring Precedence: bulk list-help: list-post: List-Id: internals.lists.php.net MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="660d91d5_6b8b4567_fc88" From: john@coggeshall.org (John Coggeshall) --660d91d5_6b8b4567_fc88 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Content-Disposition: inline > > Having GPG key requirements is all fine and dandy I suppose, but my > > tongue-in-cheek comment above has a real point behind it: GPG keys > > don't mean jack if you can't trust who owns the key. > > GitHub doesn't show the web of trust anyway, just "verified". Command > line GIT doesn't either, just: > That's really unfortunate (why even bother). IMO without some sort of web of trust verification process for GPG, this just feels like added barriers for no actual win. In fact, if anything I think it's more likely to give the project a false sense of security. Cheers, John --660d91d5_6b8b4567_fc88 Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline
> Having GPG key requirements is all fine and da= ndy I suppose, but my
> tongue-in-cheek comment above has a = real point behind it: GPG keys
> don't mean jack if you can'= t trust who owns the key.

GitHub doesn't show the web of tr= ust anyway, just =22verified=22. Command
line GIT doesn't eithe= r, just:

That's really unfortunate = (why even bother). IMO without some sort of web of trust verification pro= cess for GPG, this just feels like added barriers for no actual win. In f= act, if anything I think it's more likely to give the project a false sen= se of security.

Cheers,

John

--660d91d5_6b8b4567_fc88--