On Fri, Sep 06, 2024 at 10:44:54AM -0700, Vagrant Cascadian wrote: > Is it just me, or is rebasing branches disconcerting, as it likely means > the person signing the commit is not necessarily the original person > pushing the commit? This is worst for the now deprecated core-updates > branch with many rebased commits... are people still updating the > signed-off-by tags or whatnot?
In Guix, the "signed-off-by" tag gives credit to the reviewer of the patch, but doesn't indicate anything about authority to push to guix.git. In all cases, a commit that is pushed to guix.git will be signed by an authorized committer. The signature system ensures that. If we are concerned about long-running branches being rebased and commits losing their "original" signatures, I think it's not really something to worry about. That's because the signature *only* tells us that that the commit was signed by someone who is authorized, and it tells us *nothing* else. The code-signing authorization is extremely limited in scope. It doesn't tell us that the code works, is freely licensed, is not malicious, etc. So, it doesn't matter who signs a commit, as long as it is signed by an authorized person. Does this respond to your concerns? Or have I misunderstood?
