Half of all open source contributors are never encouraged to use digital signatures when making changes to the open source projects they’re involved with according to the “2020 FOSS Contributor Survey.” In contrast, 17% are typically required to use a digital signature on all commits. Slightly more projects require cryptographic proof of somebody’s identity before the final package that is being released.
Especially in light of the recent SolarWinds attack, requiring digital certificates is a strong way to track open source code’s chain of custody throughout the software supply chain.
Requiring a digital signature can be a barrier for contributions because of the time and effort required to implement the system. If an open source project only has a few contributors, it may not seem worth the effort. Yet, 48% of projects also do not require the use of two-factor authentication (e.g., Google Authenticator or SMS messages) to accept a change request.
The complete article can be found here.
