Hi, Authentication tells us only: "This commit was made using a trusted private key." But what we actually care about is: "Does this commit behave as intended, without bugs or backdoors?"
A bad actor can still send a good patch, and a trusted maintainer can still make a mistake, be pressured, or lose their private key. Will `guix git authenticate` detect or prevent any of that? No. It won't. So if authentication doesn't protect us from bad code or bad intentions, and doesn't even tell us whether the signer was truly in control of their key - then what real problem is it solving? Cheers Bost
