Sylvain Beucler wrote: >Another "benefit" is that in the case of a new server compromise, and >if a CVS file is successfully altered, the person to blame is not the >server maintainer anymore (for not securing the server properly), but >rather the developer (for not securing his GPG keys properly). > >Of course that's no excuse for poor security. > >
Of course, a "developer compromise", where a hacker gains access to a single developer's GPG keys, might compromise a handful of projects, and even something as simple as an email list for commit messages might help mitigate that worry. A server compromise, without commits signed by individual developers, might compromise, well, Savannah is showing 2468 projects right now. Regards, Derek -- Derek R. Price CVS Solutions Architect Ximbiot <http://ximbiot.com> v: +1 717.579.6168 f: +1 717.234.3125 <mailto:[EMAIL PROTECTED]> _______________________________________________ Bug-cvs mailing list [email protected] http://lists.nongnu.org/mailman/listinfo/bug-cvs
