Asof 2024-12-24, all commit signatures shall match ./.ssh/sha256.sig values. ./README.md#signaturecertificate shows how to test this on your own.

Asof 2025-04-09 (commit a40d1ff013f3007384e4ed025d0e402364d189cb), ./.ssh/allowed_signers.old holds old certificates¹ (not known as "compromised"; just no longer used). TODO; warn if new commits use old certificates.

Asof 2025-07-10 (commit 7c84ecbd29360a60bd0336799305bb45aba223fb), this repo switches to a new certificate². The previous certificates are not known as "compromised", but were used on numerous devices and are no longer trustable.

Users can expect that past 2024-06-26, trunk passes GitHub's code reviews³.

• If GitHub gives advisories, https://github.com/SwuduSusuwu/SusuMid/security/ shows those (the top just shows what is in SECURITY.md, so remember to scroll down).

First, view How to contribute for information on issues (to ensure that what you found is not a normal issue).

If you found normal issue(s), such as this, use this normal route to post about new issues.

But if you found sensitive issue(s), such as this, you have a few options to report the issue:

• through a new private advisory,
• through private message to https://github.com/SwuduSusuwu (if GitHub now allows private messages),
• or mailto:2002swudususuwu@gmail.com.
• If there is no response soon, you can also contact https://substack.com/@swudususuwu.

You can expect:

• Best effort to address the issue(s),
• with you anonymous (unless you ask to publish credits to you.)

TODO; have ./.ssh/setup.sh do git config to warn if new commits use old certificates (don't know how to).