Proposal to sign all commits
David Lang
david at lang.hm
Wed May 4 23:42:45 PDT 2016
On Thu, 5 May 2016, John Crispin wrote:
> On 05/05/2016 07:38, David Lang wrote:
>> On Thu, 5 May 2016, John Crispin wrote:
>>
>>> On 04/05/2016 23:38, Kus wrote:
>>>> Greetings
>>>>
>>>> I'd like to propose that all commits (at least to master) going
>>>> forward be signed with the commiter's gpg key.
>>>>
>>>> https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work
>>>>
>>>> Thoughts?
>>>
>>> we could do that. if you look at the keyring.git, you will see that we
>>> already asked those with commit access to submit their gpg keys.
>>
>> At that point, all you are signing is who merged the work into the tree.
>> That doesn't give you any information about who created the work.
>
> that is not what i meant. i would like to encourage people sending
> patches or PRs to sign those if that is possible.
>
>> Is there enough value in this to be worth the hassle?
>
> to my understanding this can be automated using git.
Kus and I had an exchange that ended up going off-list, apologies if I duplicate
things that made it to the list.
Is it acceptable to only have some commits signed and not all?
while git automates the signing after it's all setup, that setup still needs to
be done.
Given the lack of any real ability to tie an online name to a physical person,
what is the value of signing? If it is valuable, why do you allow anything not
to be signed?
how do you handle things via e-mail where the signature either doesn't exist or
can't be transferred?
how do you handle cases where the maintainer needs to fix a merge or otherwise
tweak the submission?
Other than as a gee-wiz we-can-do-that, what's the actual value provided by the
signatures?
David Lang
More information about the Lede-dev
mailing list