Proposal to sign all commits

David Lang david at lang.hm
Thu May 5 00:08:35 PDT 2016


On Thu, 5 May 2016, John Crispin wrote:

>> Other than as a gee-wiz we-can-do-that, what's the actual value provided
>> by the signatures?
>
> i dont plan to get into a discussion about why signing and crypto in
> general is useful.
>
> apart from that, its a feature widely adopted by others, git does not
> have these features for sake of code bloat and people are asking for it
> so i believe it is worth considering.

All I'm trying to do is have the consideration be more than "sprinkle encryption 
around -> something improved"

In environments where everyone is known and there is a reason to be able to 
track a particular commit back to an individual, signing commits is an obvious 
win.

In an environment where the vast majority of people are unknown, and any signing 
they are doing involves no liability, and no assurance that the person is who 
they claim to be (other than claiming to be someone who has access to that 
signing key), the value of signatures is much less.

By all means consider using them. I'm just saying that the project should be
  able to state why with something other than "because we can" to the question of 
"why should someone bother?"

David Lang



More information about the Lede-dev mailing list