"I have to trust that the interface telling me that he has approved the PR is being truthful when I merge it. " https://github.com/QubesOS/qubes-issues/issues/3958#issue-329274197
They'd love signed OTS'd ACKs:
Discussion
What's the benefit to using OTS vs PGP signing an ACK that includes the date and time?
Say a vulnerability was merged 1 year ago and it was ACK'd by someone who has since had their PGP compromised. How would you know the ACK was signed ahead of the merge rather than after the key compromise?