Aug 8, 2022, 16:50 by mich...@niedermayer.cc: > Given the recent server issues, i wonder if we should suggest/recommand > and document signing commits and tags > > i tried to push such commit to github and it nicely says "verified" > https://github.com/michaelni/FFmpeg/commit/75f196acd16fb0c0ca7a94f0c66072e7c6f736bf > > Ive generated a new gpg key for this experiment as i dont have my > main key on the box used for git development and also using more > modern eliptic curve stuff (smaller keys & sigs) > i will upload this key to the keyservers in case it becomes the > one i use for git. >
I sign all of my commits, I think it should be recommended but not required. One downside is that you can sign commits from others with your own key (for instance when pushing a patch from someone along with your commits, and signing all at once via rebase), which can be misleading, so it takes some work to reorder commits or push them in stages so this doesn't happen. It makes sense that it's the committer who's signing it, but git or github don't make a distinction when it comes to signing. _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
