-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 05.05.16 10:08, David Lang wrote: > In an environment where the vast majority of people are unknown, > and any signing they are doing involves no liability, and no > assurance that the person is who they claim to be (other than > claiming to be someone who has access to that signing key), the > value of signatures is much less.
Can't this problem be solved using the web of trust? It is doesn't require a trusted certificate authority, thus is decentralized. Truth be told, getting your key signed by others is not a simple process, as it requires physical presence of both the signer and the one who gets the signature, it's better than nothing though. On 05.05.16 08:42, David Lang wrote: > how do you handle cases where the maintainer needs to fix a merge > or otherwise tweak the submission? As for commits, those shouldn't be edited, but a new commit should be created with necessary fixes, carrying the signature of the person doing the fixes. The original commit will have the signature of its creator. -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJXKvdyAAoJECTakka9G8YAblQQAKBS+54Tj9AuJGmLbBsrejMP cR3aMGfd2naReoUizI9/EisjD1aEDlzhcyeRZ575OokN8Z1iFtbAS2bfXrt40lej RZfW2eXdo7Iwpay+sIuNQaqYg+dkE0T1L5M6/k3x1uHzH37Mw9p/6rJTypNXRusH qT0ZvNUlLXikgD2VgfCuhzexmbX7kE5/adBHHl/kOXnldEdJBOCYHKkHFRHBEEdo eya42OFcFHly633+bTQon7e8TqcPZwxarpOZBllpYNUqbEOVumCS6THoEjH98kbt bUaKrmfZh097l0fW+KUBKD/kuZY4lDqOfwBbEp6SC4pwV4yHFUImvIAo4HYEHs25 I6OCFJh8nLPPGSUhau0EmM/iG2BX+PDbAEQjHx0RA8eMqsBUdLXVbbZTPRn+ffq/ nHlzqB50Ud5rc8RIMYHNYy2k8s6kd6awTd+rb/+i1rKUilvLz6CDtRQaQeKEAiKf oXvMJnTOMFP3pCPP/pR93KH9PiGCJe3NYZf6wJYyKfo5YvZtBJW7jojcyhQ0MKrp XXvjjRYpR3hjw10oKCaB1648FgfRlT4hlVhSmWDniaAEKyKIxon8LvBYFhVkqwZw EqcccDsu2sp3Kk+zp961xIUda/ztrtxMeQiTIXUodTQBbIvy84obaPO73pexkoML quVKJyPCJs7pAV9UU/Wf =/FmW -----END PGP SIGNATURE----- _______________________________________________ Lede-dev mailing list Lede-dev@lists.infradead.org http://lists.infradead.org/mailman/listinfo/lede-dev