Hacker News new | past | comments | ask | show | jobs | submit login

If you autosign every commit then you aren't validating anything anyway. All that means is you have another mindless process running automatically in the background. So what's your point?



You're talking about two different threats / attacks:

1. Someone got access allowing them to push commits.

2. Someone got access allowing them to push commits and also got unrestricted access to the trusted PGP key.

In the first case, auto-signing will expose the issue. In the second, not. But in the second case, you're likely screwed in many other ways.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: