Hacker News new | past | comments | ask | show | jobs | submit login

> Always sign your commits!

Unfortunately PGP is fundamentally broken. Any identity (email address) can be trivially DoS'd by anyone, because the keyservers are (by design) write-only databases which anyone can add to.

https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d695...




GitHub’s PGP signing feature doesn’t make use of keyservers. You have to explicitly add a PGP key to your account for GitHub to acknowledge that your commits are signed.


I think that actually means the notion of keyservers are fundamentally broken, not PGP.

I don't need a key server for me to sign or validate that something was signed by who it said it was if exchanged my keys via a secure means.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: