[deepsun]

Kinda. Since it's Public Domain, there's little to no use in signing the code, because they explicitly forfeited any rights to it.

Public Domain means you can legally take their code, riddle it with malware, and distribute, claiming that's the real and true Direct File source code, and you are its author. What you do with malware is a different legal issue of course.

So I'm not sure proving you are commit owner by signing it is really helpful if anyone can do it as well, and there's no copyright holder to decide who's right.

[justinrubek]

Copyright doesn't have anything to do with it, even remotely. I don't care who owns it or who claims to own it. But it may be useful to verify that the commit came from the government.

[deepsun]

But how do you verify?

Let's say you see a green checkmark on GitHub that confirms the commit was really made by GitHub user @totally_legit_government_absolutely_not_hacker.

Unless you already have their public GPG key in your private keychain, and you marked it as "trusted" previously, there's not really much more info to that.

UPDATE: besides, the government is like a million people, some of them are malicious actors.

[zbentley]

Setting aside malicious government employees, the authN part of this seems like something for which technical solutions exist. Governments could operate PKI trusts and link their employees’ development credentials (in the US, this would be a PIV card or something like it) to that certificate chain. Commits, or committer identity, could be signed via that chain. The dual security of “physical/secure individual credential signing via an available-on-internal-government-network-only authority”, with a public authority available for validation, seems like it would be so secure as to be … close enough for government work.

[deepsun]

Yep, that would work. I just noted that current GitHub green checkmark doesn't really guarantee anything for the DirectFile repo.