On Saturday, 6 April 2024 18:22:22 CEST Sven Brauch wrote: > This is basically a discussion about whether it is less risky to trust > the individual developers, or the people with access to the CI signing > key. You are trading likeliness of there being one bad actor vs. impact > one bad actor can have. It's a matter of personal opinion; there is no > right or wrong choice here.
No, it is not. The key is that the infrastructure creation needs to also be automated. Once you have the *bootstrap* , you can trust the automation because you can review and audit it ( to a certain degree, of course, there is nothing bullet proof). I have been surprised for years on how the KDE infrastructure is handled (so many things done manually) but as I am not _in_ I cannot really judge because I don't know all of the circumstances and context. Best regards Marc
signature.asc
Description: This is a digitally signed message part.