[LEDE-DEV] Proposal to sign all commits

[Kus]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512


> Regarding signing commits with GPG key, it would be nice to recommend it but making it a requirement sounds like a barrier.

I'd argue such a barrier is OK if we want to quickly increase the size of the team of people with commit access. I think we're underestimating our contributors here. I agree that we shouldn't have unnecessary barriers (such as copyright assignment to give a specific example).

I am getting mixed signals here though. Some people say requiring signing causes friction and limits participation. Others say that there will only be a couple of people who will ever have commit access so signing is unnecessary.

I don't want to take too much time here because signing commits is a lower priority compared to doing the actual work of writing code/documentation (including a wiki), increasing/maintaining test coverage, and setting up automatic signed builds and so on (being discussed in separate threads).

I don't think there's a definite right or wrong answer here as long as we understand and accept the trade offs.

Sincerely,
-----BEGIN PGP SIGNATURE-----
Version: APG v1.1.1

iQJRBAEBCgA7BQJXLL6NNBxLdXNoYWwgSGFkYSAoZGV2ZWxvcGVyKSA8a3VzaGFs
ZGV2ZWxvcGVyQGdtYWlsLmNvbT4ACgkQJsInd2b1xmPv9w/+Km0COpDHFHWjahVX
XCGZdokz4BZn41ZF54R4z7iyexzZ9uviLJfQyftHODHYCvdl/P+zA3WYX2nyEQ5j
zDIkXuGKmrG68zt55Y2layVgOrqJ3BswwdkFhG7mFEyvTJQDWYp50F6a9JjURZmB
x1YCUO7fQidrmjOYdE9omEeJCBukujGtBFG1i2YxGPHA8hWANxB+hZD5AZHouNto
i5YG7ssjJXusdoCtReIxUsimUwQ6s5IqSiOSZPwlGGl3lTj4rVcQtUNZzTlwBRsL
3VEAAlXNd6Kl0oKaet9wVJNwiF3nrDiLAgwTjS2T5ZIe5l4+TwcSAsN3xJUAe1tx
7ysWFEbgYNLxXuI8cvEXr9g9n7BW3QnbgQzpgadjQisGeIOzwsCirpGKrSBJDXVP
RDClZQe9FhJ4edxgWig4htvH4eHsyyzic0RDaG+70aSNlWS4gVniAZ+dvn4cxnlF
22v7Ryl/Sb3dmhub2bQVVP4TZyYityNNfyW74cODj4mx2cYYwEhVEIAbvKz+ZE7r
D6T2svtOSJpaPBGKL4JGhXxdwo6UZJucA13h3nrxYH+nHlm6v0xHWkV955LyP976
SYS7Nw6Opw0L66L5jAJjQ3z6+YAabd00AmxWMnL6pMJk3k8sY8sH45CLghCvQNzr
xeFklDOsle8MwWAuuBb9CMB1OLI=
=bVJi
-----END PGP SIGNATURE-----