> Your PGP key is basically who you are on the internet.

Not really.. It's just a cryptographic key. They expire, get lost, get stolen... so it's not "your identity".

For large public-facing repos it's unwise to rely on every individual contributor's security, so you don't build a process around that because if the process fails with one contributor leaking their keys, you're screwed. Instead you:

1. Have pgp sigs on merge commits and tags
2. Validate these
3. Always be vigilant

If you have an active community, issues will be spotted. If you don't, you have to do the work yourself.

We use SSH that verifies in the same way, PGP wouldn't have changed anything, a botched branch rule  on one repo was the gap in preventing the push at all ... and vigilance mode would have flagged it more visibly

We don't distribute binaries that would need a signed hash

Maybe I'm making assumptions...
But isn't PGP-signing commits especially Bitcoin software... like basically mandatory? Your PGP key is basically who you are on the internet.

028559d218

Yeah I get that. I have many private repos where I have commit signing off. On the public ones it's mandatory, simply because ownership is a must - it's more a precaution  / nonrepudiation thing.

I self-host for private, but not public repos. Wouldn't recommend self-hosting public repos either, because it mostly just means more attack surface to worry about.

I Effed around and Found out about Openclaw so You Don't Have to

billytheked

Yeah I get that. I have many private repos where I have commit signing off. On the public ones it's mandatory, simply because ownership is a must - it's more a precaution  / nonrepudiation thing. 

I self-host for private, but not public repos. Wouldn't recommend self-hosting public repos either, because it mostly just means more attack surface to worry about.