On Mon, Mar 31 2025 at 08:09:49 PM +00:00:00, Zbigniew
Jędrzejewski-Szmek <zbyszek@xxxxxxxxx> wrote:
OK, I guess I need to work on my English. You're the second person who
read the abovequoted part in the exact opposite way to what I
intended :(
Hm, well I misread. You didn't write the wrong thing.
But honestly I'm not sure that using an upstream GPG-signed tarball is
really more trustworthy than using a forge-generated tarball. The
question is: do I trust the upstream forge infrastructure more, or do I
trust the computers of the maintainers who have access to the GPG
signing key more? I think a compromise of GitHub infrastructure is less
likely than a compromise of an individual maintainer, so it really
probably does make sense to trust the forge.
--
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
