Contributed by rueda on from the ouroboros dept.
Further details are on the OpenSSH development mailing list:
[…] We are in the process of converting the portable OpenSSH repository to require signed commits, tags and pushes, using git's recent ssh signature support. So far it's gone very smoothly, and we hope to have it enforced for all commits soon. We maintain our own git repository for portable OpenSSH, that is automatically mirrored to github. We use "pre-receive" and "update" hooks to check for signed pushes and tags/commits respectively, using an in-repository allowed_signers file. […]
This is a most welcome process integrity improvement that hopefully will make the world trust our favorite SSH software even more.
(Comments are closed)