Replying to Avatar freemymind 🇨🇭

I disagree on this. Since when I download software I trust the developer. In case of opensource software, for sure there are many that have the opportunity to verify the code. But for example when I get that some developer coded a backdoor into his app. I would may not trust any app with his involvement anymore.

So I would still vote that the trust of an app always comes from the person that signes it.
Avatar
jb55 11mo ago

I don’t think you are disagreeing. Does signing releases not solve this problem?

Reply to this note

Please Login to reply.

Discussion

Avatar
joe 11mo ago

He is disagreeing. You said no one should trust developers, and everyone should read the code. He's saying he trusts developers instead of reading the code.

Avatar
jb55 11mo ago

Linux kernel doesn’t sign commits and they get the most contributors on the planet and have no issues. Fascinating 🤔

Avatar
freemymind 🇨🇭 11mo ago

No. nostr:nprofile1qyghwumn8ghj7mn0wd68ytnhd9hx2tcppemhxue69uhkummn9ekx7mp0qythwumn8ghj7un9d3shjtnswf5k6ctv9ehx2ap0qyt8wumn8ghj7un9d3shjtnddaehgu3wwp6kytcpz4mhxue69uhhyetvv9ujuerpd46hxtnfduhsqgpjuxp8vd29p6ancknaztql3eajk52y8xkppfn7au7elkw9c68zg59r80f0 is voting for signing a release instead of commits. So the developer who releases the code takes responsibility for all changes made. Means that whoever publishes the release should review the commits that get included.

He is not against the principle of developers signing code and taking responsibility. But just against doing it on a commit level.