On Mon, Aug 08, 2022 at 09:26:52PM +0200, Lynne wrote: > Aug 8, 2022, 16:50 by mich...@niedermayer.cc: > > > Given the recent server issues, i wonder if we should suggest/recommand > > and document signing commits and tags > > > > i tried to push such commit to github and it nicely says "verified" > > https://github.com/michaelni/FFmpeg/commit/75f196acd16fb0c0ca7a94f0c66072e7c6f736bf > > > > Ive generated a new gpg key for this experiment as i dont have my > > main key on the box used for git development and also using more > > modern eliptic curve stuff (smaller keys & sigs) > > i will upload this key to the keyservers in case it becomes the > > one i use for git. > > > > I sign all of my commits,
I didnt notice, but thats good as it also proofs it works with no ill sideeffects Where can i find your public key ? it seems its not on the keyservers i checked > I think it should be recommended but > not required. yes, for now, thats certainly the right path. In the future this should maybe be reevaluated > > One downside is that you can sign commits from others with your > own key (for instance when pushing a patch from someone along > with your commits, and signing all at once via rebase), which can be > misleading, so it takes some work to reorder commits or push them > in stages so this doesn't happen. It makes sense that it's the > committer who's signing it, but git or github don't make a distinction > when it comes to signing. I dont see much harm if other commits are signed too. thx [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB I do not agree with what you have to say, but I'll defend to the death your right to say it. -- Voltaire
signature.asc
Description: PGP signature
_______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
