-
@ Anthony Accioly
2025-02-20 19:00:40
You can, for instance, use NIP-39 to verify that you have control of a certain GitHub account. This can be useful for other Nostriches.
Regardless of NIP-39 though, unless you are signing your commits, it's pretty easy for other people to create a commit linked to your real GitHub account. All that they have to do is have a look at some of your commits, figure out what e-mail address you are using and push any commit with this email address. See "Linus Torvalds" example above. Unless you are signing your commits and have vigilant mode enabled, there will be no visual indication that this commit didn't come from you. And this is only step 1 out of 100 that can be exploited if artifacts aren't being signed throughout the software supply chain.