Oct. 25, 2017
7:11 p.m.
On Wed 2017-10-25 18:14:23 +0200, Simon Hanna wrote:
For me as a user it would be more interesting to have a verified release signed by one key that's static rather than a commit history that is signed by many different keys that I don't know.
this is not an "either/or" thing. it's a "both, and!" thing. software provenance works at multiple levels, and for software that we care about, we should have a cryptographic path on as many of them as possible.
--dkg