From edffb33a422c7fbea59a497ff4652489fcaeef92 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Paul=20M=C3=BCller?= <dev@craban.de>
Date: Wed, 8 Jan 2025 14:01:39 +0100
Subject: [PATCH] update readme with code signing policy and project integrity

---
 README.rst | 25 +++++++++++++++++++++++--
 1 file changed, 23 insertions(+), 2 deletions(-)

diff --git a/README.rst b/README.rst
index 640c703..126531c 100644
--- a/README.rst
+++ b/README.rst
@@ -15,8 +15,29 @@ to install a Python distribution:
 
 Installation
 ------------
-At the `release page <https://github.com/DC-analysis/DC-tools-for-Windows/releases/latest>`_,
-you can download an installer.
+You can download the installer from the
+`release page <https://github.com/DC-analysis/DC-tools-for-Windows/releases/latest>`_.
+
+Code Signing Policy
+...................
+The DC tools for Windows use free code signing provided by `SignPath.io <https://about.signpath.io/>`_,
+certificate by `SignPath Foundation <https://signpath.org/>`_.
+
+Project Integrity
+-----------------
+To verify the integrity of the DC tools for Windows, we manage access this
+repository via GitHub Team roles:
+
+- **Triage**: The `Members team of DC-Analysis <https://github.com/orgs/DC-analysis/teams/triage>`_
+  has permission to triage (e.g. modify issues).
+- **Core**: The `Core team of DC-Analysis <https://github.com/orgs/DC-analysis/teams/core>`_
+  consists of people who are trusted to modify the source code in the project's
+  version control system without additional reviews.
+- There is no special role for *Commiters*. External contributors or members
+  of the *Triage* team must create a pull request which is reviewed by a
+  *Core* team member.
+- Furthermore, we enforce 2FA for every member of the DCOR-dev GitHub
+  organization.
 
 
 For developers