I disagree on this. Since when I download software I trust the developer. In case of opensource software, for sure there are many that have the opportunity to verify the code. But for example when I get that some developer coded a backdoor into his app. I would may not trust any app with his involvement anymore.
So I would still vote that the trust of an app always comes from the person that signes it.
I don’t think you are disagreeing. Does signing releases not solve this problem?
He is disagreeing. You said no one should trust developers, and everyone should read the code. He's saying he trusts developers instead of reading the code.
Linux kernel doesn’t sign commits and they get the most contributors on the planet and have no issues. Fascinating 🤔
No. nostr:nprofile1qyghwumn8ghj7mn0wd68ytnhd9hx2tcppemhxue69uhkummn9ekx7mp0qythwumn8ghj7un9d3shjtnswf5k6ctv9ehx2ap0qyt8wumn8ghj7un9d3shjtnddaehgu3wwp6kytcpz4mhxue69uhhyetvv9ujuerpd46hxtnfduhsqgpjuxp8vd29p6ancknaztql3eajk52y8xkppfn7au7elkw9c68zg59r80f0 is voting for signing a release instead of commits. So the developer who releases the code takes responsibility for all changes made. Means that whoever publishes the release should review the commits that get included.
He is not against the principle of developers signing code and taking responsibility. But just against doing it on a commit level.
