Is the onus really on people who write code here? It really should be on those who choose to use this unsigned code, surely?

▲

lrvick an hour ago | parent | next [-]

Anyone that maintains code for others to consume has a basic obligation to do the bare minimum to make sure their reputations are not hijacked by bad actors.

Just sign commits and reviews. It is so easy to stop these attacks that not doing so is like a doctor that refuses to wash their hands between patients.

If you are not going to wash your hands do not be a doctor.

If you are not going to sign your code do not be a FOSS maintainer.

▲

lorenzohess an hour ago | parent | prev [-]

Perhaps, but if it's gotten to the point where millions of people download the unsigned code, signing should probably become required. Even reproducible builds.

▲

4ndrewl an hour ago | parent [-]

Required by who though? If your business etc depends upon some code, it's up to you to ensure its quality, surely? You copy some code onto your machine then it's your codebase, right?

	▲	lrvick an hour ago \| parent [-]
		While I think anyone unwilling to sign their code is negligent, I also feel anyone unwilling to ensure credible review of code has been done before pushing it to production is equally negligent.