I feel like if we as the open source community would require commit signing we would be in a safer position. Crypto signing doesn't block malware from being introduced, but it would make it harder to sneek under our noses.
Currently in open source, you really don't know where your code is coming from and who worked on it. Git's "commit author" fields don't require any proof of identity, that's what GPG is for.
Currently in open source, you really don't know where your code is coming from and who worked on it. Git's "commit author" fields don't require any proof of identity, that's what GPG is for.