|
|
|
|
|
|
by thyristan
500 days ago
|
|
|
Your tool recommendations are actively harmful and dangerous in places. You whole-heartedly recommend sigstore, a trusted-third-party system which plainly trusts the auth flows of the likes of Google or Github. It is basically a signature by OpenID-Login. This is no better than just viewing everything from github.com/someuser as trusted. The danger of key theft is replaced by the far higher danger of account theft, password loss and the usual numerous auth-flow problems with OpenID. Why should I take those recommendations seriously? |
|
|