| ▲ | spullara 4 hours ago | |
nothing about this proves anything except that someone or something had access to the key. | ||
| ▲ | lrvick an hour ago | parent [-] | |
Do you think it is likely that the majority of the people that spent decades building this trust graph and gaining the trust needed to be release engineers on the packages that power the whole internet are just going to hand off control of that key to a bot? Anyone doing so would be setting their professional reputations completely on fire, and burning your in-person-built web of trust is a once in a lifetime thing. Basically, we trust the keys belong to humans and are controlled by humans because to do otherwise would be a violation of the universally understood trust contract and would thus be reputational bankruptcy that would take years to overcome, if ever. Even so, we assume at least one maintainer is dishonest at all times, which is why every action needs signatures from two or more maintainers. | ||