On Wed, Sep 14, 2022 at 01:31:06PM +0200, Richard Biener via Gcc wrote:
> How does this improve supply chain security if the signing happens
> automagically rather than manually at points somebody actually
> did extra verification? That is, what's the attack vector this helps with?
>
> What's the extra space requirement if every commit is signed? I suspect
> the signatures themselves do not compress well.
Note, right now we sign the release tags and I think one basepoint
(basepoints/gcc-11) is signed too (but the rest of them aren't).
Jakub
