Hi,
On Fri, Jun 13, 2014 at 11:34 PM, intrigeri <intrigeri@???> wrote:
> Hi,
>
> after merging one more translation pull request, just by trusting the
> From header, fingers crossed that if an attacker had been spoofing
> this header to game us, then the person being spoofed would notice
> before any user is harmed... I'm wondering:
>
> Would it sound crazy, too painful, or what, if we required l10n pull
> requests to be OpenPGP-signed?
just interested: shouldn't this be much more of a problem for the parts
of Tails that few people ever look at?
In another recent mail you mentioned PGP signed git commits,
but I haven't found anything about that in the documentation
(e.g.
https://tails.boum.org/contribute/merge_policy/ doesn't mention
signed commits). Do these provide enough protection?
Cheers,
Frithjof
