The issue of code provenance is an industry-wide threat that needs to be addressed, says Erika Heidi. “We need additional layers of security to prove the provenance of code that is committed to a repository, especially when it comes to libraries that are used as dependencies by hundreds or thousands of other projects.”
In this post, Heidi shows how to start using keyless signing with Gitsign, noting that “signing your commits is a step you can start doing today to improve the resilience of your open source projects.”
Read more at Dev.to.
Looking for a job?
Check out the latest job listings at Open Source JobHub.
Comments