Proposal to sign all commits
David Lang
david at lang.hm
Thu May 5 00:08:35 PDT 2016
On Thu, 5 May 2016, John Crispin wrote:
>> Other than as a gee-wiz we-can-do-that, what's the actual value provided
>> by the signatures?
>
> i dont plan to get into a discussion about why signing and crypto in
> general is useful.
>
> apart from that, its a feature widely adopted by others, git does not
> have these features for sake of code bloat and people are asking for it
> so i believe it is worth considering.
All I'm trying to do is have the consideration be more than "sprinkle encryption
around -> something improved"
In environments where everyone is known and there is a reason to be able to
track a particular commit back to an individual, signing commits is an obvious
win.
In an environment where the vast majority of people are unknown, and any signing
they are doing involves no liability, and no assurance that the person is who
they claim to be (other than claiming to be someone who has access to that
signing key), the value of signatures is much less.
By all means consider using them. I'm just saying that the project should be
able to state why with something other than "because we can" to the question of
"why should someone bother?"
David Lang
More information about the Lede-dev
mailing list