sigstore · ltagliaferri · Mar 11, 2024 · Mar 5, 2024 · Mar 7, 2024
diff --git a/content/en/about/faq.md b/content/en/about/faq.md
@@ -6,12 +6,12 @@
 weight: 35
 ---

 This FAQ is intended to go as in depth as possible for anyone using sigstore. 

 ## General

 ### What security checks do you use internally?

 We’ve adopted a security disclosures and response policy to make sure we can responsibly handle critical issues. We have an initial Security Response Committee, who for each vulnerability reported will coordinate to create the fix and release, and communicate the process. You can read the [full policy on GitHub](https://github.com/sigstore/.github/blob/main/SECURITY.md).

 ### How does Sigstore integrate in-toto?
@@ -121,17 +121,17 @@
 by default an ephemeral key is generated for each commit. There are a
 few options to help automating the authentication process:

 - Setting the [`connectorID`](/signing/gitsign/#configuration) value can be set to
  automatically select the desired provider for Dex-backed OIDC providers
  (including the public Sigstore instance at `oauth.sigstore.dev`). While this
  still requires a browser window to open, this does not require an extra click
  to select the provider.
 - Starting in v0.2.0, Gitsign has experimental support for key caching to allow
  users to reuse ephemeral keys for the lifetime of the Fulcio certificate. If
  you are interested in learning more, check out the
  [`gitsign-credential-cache` README](https://github.com/sigstore/gitsign/tree/main/cmd/gitsign-credential-cache).


 ## Rekor

 ### Is the transparency log monitored?
@@ -146,16 +146,12 @@
 
 There's no need for a distributed source of transparency as there can be multiple points of transparency which only adds more sources of security guarantee, not fewer. An entity can post to as many Rekor logs as they want and inform users of where they post. We do encourage folks to use common public instances, but we don't seek to enforce this. We do plan to look to produce a gossip protocol, for those that desire a more decentralised model (if there's demand).
 
-### How do I verify downloaded code?
-
-Public blockchains often end up using a centralized entry point for canonicalization and authentication. Consensus algorithms can be susceptible to majority attacks, and transparency logs are more mature and capable for what we aim to build with sigstore.
-
 ### Why use a Merkle Tree/Transparency log?
 
 - Rekor's back end is [Trillian](https://github.com/google/trillian)
 - Trillian is an open source community under active development
 - Trilian is deployed by Google, CloudFlare (nimbus), Let's Encrypt for certificate transparency, so it already is considered production grade

 ### Can I get Rekor to work with my X format, framework standard?

 - Yes. Using pluggable types you can create your own manifest layout and send it to Rekor. Head over to [pluggable types]({{< relref "logging/pluggable-types">}})