[shittyadmin]

He seems to be discouraging signing every commit's individual data but encouraging signing the actual commit ID (SHA1) which should be perfectly feasible for something like homebrew.

[mnarayan01]

> Signing each commit is totally stupid. It just means that you automate it, and you make the signature worth less.

[shittyadmin]

You're still getting a signature directly from the developer's machine, not from the repository server and as such you're still vastly shrinking the attack surface.

[mratzloff]

It's really not that hard to type a password into the terminal every time you commit.

[majewsky]

You have no idea how creative people get when faced with minor nuisances. I've seen devs/admins go to great lengths to avoid doing more than one 2FA per day.

[bigiain]

Like this?

https://www.youtube.com/watch?v=AsNwon4fjqY

A publicly available webcam pointed at an RSA SecurID hardware token...

(The optimist ion me hopes this was performance art. But I've worked with people who'd do that if it made their day ever so slightly easier...)