Proposal to sign all commits

[Foster Snowhill]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 05.05.16 10:08, David Lang wrote:
> In an environment where the vast majority of people are unknown, 
> and any signing they are doing involves no liability, and no 
> assurance that the person is who they claim to be (other than 
> claiming to be someone who has access to that signing key), the 
> value of signatures is much less.

Can't this problem be solved using the web of trust? It is doesn't
require a trusted certificate authority, thus is decentralized. Truth
be told, getting your key signed by others is not a simple process, as
it requires physical presence of both the signer and the one who gets
the signature, it's better than nothing though.


On 05.05.16 08:42, David Lang wrote:
> how do you handle cases where the maintainer needs to fix a merge 
> or otherwise tweak the submission?

As for commits, those shouldn't be edited, but a new commit should be
created with necessary fixes, carrying the signature of the person
doing the fixes. The original commit will have the signature of its
creator.
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJXKvdyAAoJECTakka9G8YAblQQAKBS+54Tj9AuJGmLbBsrejMP
cR3aMGfd2naReoUizI9/EisjD1aEDlzhcyeRZ575OokN8Z1iFtbAS2bfXrt40lej
RZfW2eXdo7Iwpay+sIuNQaqYg+dkE0T1L5M6/k3x1uHzH37Mw9p/6rJTypNXRusH
qT0ZvNUlLXikgD2VgfCuhzexmbX7kE5/adBHHl/kOXnldEdJBOCYHKkHFRHBEEdo
eya42OFcFHly633+bTQon7e8TqcPZwxarpOZBllpYNUqbEOVumCS6THoEjH98kbt
bUaKrmfZh097l0fW+KUBKD/kuZY4lDqOfwBbEp6SC4pwV4yHFUImvIAo4HYEHs25
I6OCFJh8nLPPGSUhau0EmM/iG2BX+PDbAEQjHx0RA8eMqsBUdLXVbbZTPRn+ffq/
nHlzqB50Ud5rc8RIMYHNYy2k8s6kd6awTd+rb/+i1rKUilvLz6CDtRQaQeKEAiKf
oXvMJnTOMFP3pCPP/pR93KH9PiGCJe3NYZf6wJYyKfo5YvZtBJW7jojcyhQ0MKrp
XXvjjRYpR3hjw10oKCaB1648FgfRlT4hlVhSmWDniaAEKyKIxon8LvBYFhVkqwZw
EqcccDsu2sp3Kk+zp961xIUda/ztrtxMeQiTIXUodTQBbIvy84obaPO73pexkoML
quVKJyPCJs7pAV9UU/Wf
=/FmW
-----END PGP SIGNATURE-----