Hi, On Fri, 3 Jul 2015 11:19:13 -0500 William Hubbs wrote: > On Fri, Jul 03, 2015 at 06:34:41AM +0000, Robin H. Johnson wrote: > > On Thu, Jul 02, 2015 at 09:46:18PM -0400, Brian Evans wrote: > > > Does this mean that https://wiki.gentoo.org/wiki/Gentoo_git_workflow > > > is no longer draft or needs work or another document is meant to > > > display the new flow? > > It does cover most of the things needed. > > > > It could use some revision regarding gkeys, and I'd like to also mandate > > signed pushes in addition to signed commits. > > A push doesn't create any data, it just uploads it to the repo, so how > do you sign a push?
As I see from git docs only commits and tags may be signed. There is no way to sign a push. Moreover there is no need to sign each commit, see what Linux says on that: http://git.661346.n2.nabble.com/GPG-signing-for-git-commit-td2582986.html '' Btw, there's a final reason, and probably the really real one. Signing each commit is totally stupid. It just means that you automate it, and you make the signature worth less. It also doesn't add any real value, since the way the git DAG-chain of SHA1's work, you only ever need _one_ signature to make all the commits reachable from that one be effectively covered by that one. So signing each commit is simply missing the point. '' Best regards, Andrew Savchenko
pgp3IuIWwuwJv.pgp
Description: PGP signature
