sigstore.dev/

welp, I see a bunch of corporate logos plastered on the thing and I am instantly skeptical.

what can this do that GPG-signing Git commits can't do? :thonking:

Follow

@theruran Ah yes, just what decentralized code hosting has been needing: forcing TLS-style certificate authorities into it and making anybody who's actually decentralized as a second-class “insecure” citizen

@nytpu @theruran I feel like this is for corporations who only want to trust the OSS assets of other corporations … with what looks like an insanely complex, Kubernetes, enterprise type bullshit solution no real OSS developer ever asked for.

Sign in to participate in the conversation
tilde.zone

masto instance for the tildeverse