Realm
The Realm is the most powerful and most import concept of Scrutineer. It solves the problem of managing trust relationships with many users.
Your realm is personal. You and only you decide what is in it - and what is not.
Temporal properties of git signatures
When working with signatures, usually the signing and verification process happen within a short time interval. With git it is different. Between signing a commit and verifying the same commit, years can pass. Scrutineer accounts for this mismatch by providing a timeline in which signatures are valid (see image below). Commits are trusted if a trusted user signed the commit in a specific time interval.
Contents of the Realm
You can trust
- users
- teams
- organizations
for a defined time interval. By default, time intervals start now and end in 365 days from now. This is a sensible default and you can overwrite it anytime and even create multiple intervals per user, team and organization.
Trust of Teams and Organizations
I saw the need of managed groups. Usually you don't develop software in isolation. Likewise, you usually don't trust one other developer. You trust an entire organization. Implicitly we trust organizations in the moment we download their unsigned code. It would be even better if we would download and verify their signed code. The individual developer plays a less important role in this situation.