And if "the proper way to verify committer identity is, as per GitHub's response, a cryptographic signature", Github is certainly not pushing this.
If the only real security around attribution is "a cryptographic signature", GitHub could do a lot better in pushing this, making it essential part of the signup or "getting started" and such.
If the only real security around attribution is "a cryptographic signature", GitHub could do a lot better in pushing this, making it essential part of the signup or "getting started" and such.