On Wed, Sep 14, 2022 at 2:07 PM Ulrich Drepper <drep...@redhat.com> wrote:
> On Wed, Sep 14, 2022 at 1:31 PM Richard Biener <richard.guent...@gmail.com> > wrote: > >> How does this improve supply chain security if the signing happens >> automagically rather than manually at points somebody actually >> did extra verification? > > > It works only automatically if you have ssh-agent (and/or gpg-agent) > running. I assume that's what developers do anyway because that's how they > like push changes to sourceware. If you don't have an agent you'll have to > provide the signature of the signing key at the time of the commit. > This was the last message I sent and no further questions or comments arrived. Shall I prepare a small patch with an initial version of the key files (with my key), perhaps a patch to the setup script Jonathan mentioned, and a few words to be added to a README or similar file (which?)? Initially this could be optional and we could gather data on the pickup and only after an initial period switch to make the signing mandatory.
