|
|
|
|
|
|
by yencabulator
1249 days ago
|
|
|
The public keys for those signatures have already been downloaded by any vendor who knows what they're doing; a new TLS forgery vulnerability won't really hurt there. Or, let's put it this way: If you don't bother with the signatures, a TLS forgery likely isn't the easiest way to feed you a fake openssl release, hijacking an account or hacking Github et al are. Also, Github itself verifies Git signatures, and the maintainers seem to have Github's "vigilant mode" on. |
|
|