***rt is now known as robin
<Hagfish>let's hope it incentivises the right behaviours, over all <stikonas>well, but you can always game that score a bit if you are malicious. E.g. for signed releases thing it says "The check does not verify the signatures." So even completely broken signature would pass that check <civodul>yeah, it reminds me of the "Verified" badge on GitHub <hendursaga>civodul: did they finally make a way where you could verify that badge offline by yourself with PGP?? <stikonas>hendursaga: well, they don't have to make any way, you just do that with git/gpg <stikonas>but as usual with gpg, you want your key to be in the strong set to be able to verify anything <hendursaga>stikonas: I meant, when the maintainer doesn't provide signed hashes in the releases page or elsewhere <hendursaga>because isn't the verified badge only when they sign commits or releases or something? <stikonas>or in some cases (like package manager repos in e.g. guix or gentoo) you need each commit to be signed <hendursaga>hmmm, so when that badge is shown, the signed commit/tag is somewhere in the Git repo that you could then check? <stikonas>--show-signature, apparently it is singular <hendursaga>oh, TIL - I'm only used to signing commits and sending them through email (I used to do some Guix development) <stikonas>I don't think commit signature survives email... <stikonas>since commit is actually made by somebody else <stikonas>git has both author and committer fields <hendursaga>no, like, creating a patch file and signing it then sending both..? <stikonas>I think that's different from git signatures <hendursaga>I'm currently rather excited about Pijul, eventually they'll have multiple ways to sign/verify patches and all that <civodul>hendursaga: re the OpenPGP badge on GitHub, i don't know <civodul>but i think it's pointless without a mechanism similar to what Guix has