So what does this means is if someone compromise their GPG key (more or less easy) and get his passphrase (not difficult) they can sign all kinds of commits and make it look like he did it. Great
Security is only as good as the weakest link.
Also, don't make it look like it's more secure when it may not be
Security is only as good as the weakest link.
Also, don't make it look like it's more secure when it may not be