Conversation

I have very, very bad news for the "if it's good enough for Debian it's good enough for X" OpenPGP apologist argument. wiki.debian.org/Teams/Apt/Spec

256

Replying to

Now so that's left is git?

Replying to

and

Git's signed commit / tag support is problematic even without PGP because it uses signatures hard-wired into the objects. It has no way to add additional signatures after the fact which is a huge problem. Even if you're using PGP, it's better to use Git notes than their system.

11:22 PM · Jun 21, 2021Twitter Web App

Replying to

and

It should be possible to rotate keys and provide new signatures replacing the old ones made with the key that's being retired. Git notes mean you can just not fetch all the legacy signatures, etc. It's pretty gross having PGP bloat hard-wired into each commit / tag object...

Replying to

and

It's particularly bad with commits, because at least you could create new tags with a suffix / prefix indicating that they're made with the new signing key. For commits... all future commits have a hash incorporating all those hard-wired PGP signatures.

Show replies