Proposal to sign all commits

David Lang david at lang.hm
Wed May 4 17:27:15 PDT 2016


On Wed, 4 May 2016, Kus wrote:

>
> I'd like to propose that all commits (at least to master) going forward be signed with the commiter's gpg key.
>
> https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work
>
> Thoughts?

Other than the possible idea that you can know if a commit was created by the 
same person who created another commit with the same signature, how are you 
going to validate the signatures?

who would issue the certs?

how do you handle signatures on a patch that requires changes before it's 
merged?

how do you handle signatures on a patch that arrives via e-mail?

in other words, would this really be able to cover all commits without having 
people sign for other people's work? If it can't, what do the signatures 
actually tell you?

David Lang



More information about the Lede-dev mailing list