Important Notice: Our web hosting provider recently started charging us for additional visits, which was unexpected. In response, we're seeking donations. Depending on the situation, we may explore different monetization options for our Community and Expert Contributors. It's crucial to provide more returns for their expertise and offer more Expert Validated Answers or AI Validated Answers. Learn more about our hosting issue here.

Why not use GNU diff format diffs with GPG signatures?

diff diffs format GNU GPG signatures
0
Posted

Why not use GNU diff format diffs with GPG signatures?

0 CommentsAdd a Comment

1 Answer

0

• Classical diffs don’t do binary very well. • GPG as a subprocess is slow, tricky and fragile; using the botan crypto library in-process is fast, simple and reliable. • Classical diffs may be whitespace-mangled, which invalidates signatures, so you need to ascii-armor it anyways. • OpenPGP packet format is quite baroque, we need much less than it can do. • The web of trust is useful for verifying that the name on a key matches the name on a passport. It isn’t very useful for verifying that the holder of a key should have commit access to your project. We like to trust keys based on the quality of the code they sign, not based on the name attached to them. (In fact, every VCS we know of that does use ?OpenPGP keys doesn’t leverage the web of trust at all, but rather requires you to explicitly upload each key you want to trust.) • In the rare case where you do know that the person whose passport says “Jane Doe” is a hotshot coder who should definitely have commit access, you can always

0 CommentsAdd a Comment

Related Questions

What is your question?

*Sadly, we had to bring back ads too. Hopefully more targeted.