I think gpg signing of commits is a good practice. It also strongly discourages rebasing on master and release branches, which is also a good thing. On ORC, we try to sign all of our commits.
.. Owen On Fri, Feb 24, 2017 at 3:36 AM, Steve Loughran <ste...@hortonworks.com> wrote: > > For the next few days I'm experimenting with the -S option on signing > commits, which tells git to ask gpg to sign the commit, which will then > somehow get the little yubikey plugged into my laptop to do the signing > > Because I've uploaded the public bit of the key to my github repo, Github > can authenticate that it really was me doing the commit > > https://github.com/apache/hadoop/commit/9c22a91662af24569191ce45289ef8 > 266e8755cc > > and, if i'm trusted in your keyring, a git log --show-signature > > git log --show-signature 9c22a91662 > commit 9c22a91662af24569191ce45289ef8266e8755cc > gpg: Signature made Fri 24 Feb 10:41:40 2017 GMT > gpg: using RSA key 950CC3E032B79CA2 > gpg: Good signature from "Steve Loughran <ste...@apache.org<mailto:stev > e...@apache.org>>" [ultimate] > Author: Steve Loughran <ste...@apache.org<mailto:ste...@apache.org>> > Date: Fri Feb 24 10:41:36 2017 +0000 > > HADOOP-14114 S3A can no longer handle unencoded + in URIs. Contributed > by Sean Mackrory. > > (cherry picked from commit ff87ca84418a710c6dc884fe8c70947fcc6489d5) > > You ca also use GPG to sign a tag, then use git verify-tag to check the > signature; this stops anyone being able to silently move a tag: you can > move a tag, but then it's signature is invalid > > Will it help make our code and development process more secure? Not > really, not if our build depends on pulling down artfacts from random > places with an MD5 or SHA1 validation *at best*. And signing patches > doesn't magically make the code inside secure. But it does at least add > some chain of provenance to who actually put stuff in, rather than the > logged committer of any patch being whoever that user chose to declare > themselves to be. > > I'm only doing this for the never-rebased branches, and of course when > something gets cherry picked, the signature becomes invalid. I'll decide > after a week or two whether its a viable process. The opinions/experience > of others would be useful here > > -Steve > > ps, key in question: https://pgp.mit.edu/pks/lookup?op=get&search= > 0x950CC3E032B79CA2 > > >
