> So if we want to make sure that something like XY doesn't happen, we > have to add some additional restrictions to those GPG keys. >
Looks like all those geeky colleagues of ours back in the day having key-signing parties at conferences were on to something, maybe.. Let's be clear about something -- having GPG key requirements isn't going to help a situation like XZ. The XZ attack was done by an active maintainer of the project (who arguably manipulated the original maintainer of the project to become a maintainer themselves). It was as much a social engineering attack as anything. Having GPG key requirements is all fine and dandy I suppose, but my tongue-in-cheek comment above has a real point behind it: GPG keys don't mean jack if you can't trust who owns the key. Unless we want to start limiting contributors to people who show up at conferences to do key signings of their GPG keys, I question exactly what this buys the project other than an illusion of security and additional complexity? I couldn't even really trust Derick to read me his GPG public key character-by-character over the phone now days thanks to AI. Just Sayin' John