Conversation

If you extract some value from them, or even just like them because you feel like it improves your build, that is totally acceptable! My only complaint is when people claim it has security or trust benefits, I don't believe it does.
2
There is a trust+security benefit in being able to detect compromised build servers. Signing keys are best kept in a place where they can sign but not be leaked e.g. via HSM or obs-signd.
1
Show replies