Re: [Tails-l10n] OpenPGP-signed pull requests?

Delete this message

Reply to this message
Autor: u
Data:  
A: tails-l10n
Assumpte: Re: [Tails-l10n] OpenPGP-signed pull requests?
Hm

my previous response to the list has never arrived apparently.

intrigeri:
> Hi,
>
> after merging one more translation pull request, just by trusting the
> From header, fingers crossed that if an attacker had been spoofing
> this header to game us, then the person being spoofed would notice
> before any user is harmed... I'm wondering:
>
> Would it sound crazy, too painful, or what, if we required l10n pull
> requests to be OpenPGP-signed?
>
> Notes:
>
>  * I'm only talking of the actual email requesting the merge.
>    I'm relying on the person requesting the merge to have checked that
>    the proposed diff doesn't contain anything nasty.

>
>  * Even if we don't strictly require this, perhaps translators who are
>    at ease with OpenPGP can start signing their pull requests
>    systematically? (So at least we know that an unsigned pull request
>    seemingly coming from them might be fishy.)

>
>  * I'm particularly concerned that this would raise the (already high)
>    barrier again for new translation teams, and new members of
>    existing teams.

>
>  * Introducing some amount of OpenPGP usage in here might be a first
>    step toward automating a bit the pull/merge workflow, some day.
>    But I can think of other ways to do that without involving OpenPGP.


I like the idea.

I don't think that it raises the bar too high, simply because it
would still permit (new) people to do their translations without having
to bother and then request a review.

There has to be only one person in a team who knows how to use OpenPGP
in the scenario you describe.

So, this proposal gets my full ack.

cheers!
Cheers!