I’ve never liked the idea to tie an email address to my commits for privacy reasons, but of course I want to be linked somehow to my work. Would it be possible to rely on the key-pair used to sign commits instead? To avoid users claiming other users’ work by copy-pasting public keys in their profiles The Nest should check that a person really owns a given public key by asking to sign some random string before accepting it.
Could something like this work? I think I would like it more than GitHub’s solution (it generates a no-reply email for users that don’t want to make email addresses public).
This is actually how it was done before I made the mistake of switching to PGP. It’s actually really cool, and I want that too. Let’s see if I can find a way to implement it in the next Pijul.
I’m curious, why do you consider switching to PGP a mistake? As much as I like minisign I wonder if the lack of key revocation is a problem when signing commits
Because it would now be easier to code your own domain-specific tiny clone of PGP, including key revocation, than to install Pijul 0.12 on any platform other than NixOS (where installing anything is almost always trivial anyway).
I wrote an implementation of PGP in Rust years ago, I swore I would never touch PGP ever again after that, and I got tricked again. Anyway, Sequoia PGP is a great implementation of PGP, the problem is not the implementation, it’s the clunky standard requiring weird crypto libraries and overcomplicated APIs.