I can prove that code was signed by a key that was verified to belong to a single human body by lots of in-person high reputation humans.

How the code was authored, who cares, but I can prove it had multiple explicit cryptographic human signoffs before merge, and that is what matters in terms of quality control and supply chain attack resistance.

▲

nothrabannosir 2 hours ago | parent [-]

Exactly. So in the words of the comment you replied to: why are we wasting energy on worrying about Claude code impersonating humans? We have that solution you proposed.

That’s what I mean by “you agree with the person to whom you replied”

▲

lrvick an hour ago | parent [-]

I suppose you are correct. I am agreeing that if one widely deployed the defense tactics projects like stagex use, then asshats using things like undercover will not be trusted.

Unfortunately outside of classic Linux packaging platforms, useful web of trust and signing is very rare, so I expect things like undercover mode being popular are going to make everything a lot worse before it gets better.

	▲	nothrabannosir an hour ago \| parent [-]
		Your last point, I think, is why so many sibling commenters are balking at GP :)