Hacker News new | ask | show | jobs
by lrvick 80 days ago
I can prove that code was signed by a key that was verified to belong to a single human body by lots of in-person high reputation humans.

How the code was authored, who cares, but I can prove it had multiple explicit cryptographic human signoffs before merge, and that is what matters in terms of quality control and supply chain attack resistance.
1 comments
nothrabannosir 80 days ago
Exactly. So in the words of the comment you replied to: why are we wasting energy on worrying about Claude code impersonating humans? We have that solution you proposed.

That’s what I mean by “you agree with the person to whom you replied”

link
lrvick 80 days ago
I suppose you are correct. I am agreeing that if one widely deployed the defense tactics projects like stagex use, then asshats using things like undercover will not be trusted.

Unfortunately outside of classic Linux packaging platforms, useful web of trust and signing is very rare, so I expect things like undercover mode being popular are going to make everything a lot worse before it gets better.

link
nothrabannosir 80 days ago
Your last point, I think, is why so many sibling commenters are balking at GP :)
link