vlsi commented on PR #3985: URL: https://github.com/apache/logging-log4j2/pull/3985#issuecomment-3542881244
I see there are lots of build failures which I can't easily address. However, I would like to hear from the maintainers regarding the idea of dropping the dependency. ChatGPT suggests asking commit signing from external contributors provides friction yet it adds no value: https://chatgpt.com/share/691b516b-0ff4-800f-9ea4-b53358ed3ae9 > So in that context, mandatory signing for all PRs usually gives: > * Extra friction: people struggle with GPG, smartcards, expired keys, email mismatch, etc. > * Almost no extra assurance: you still review the code and trust the GitHub account/maintainer who presses “Merge”. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
