On Thu, 5 May 2016, John Crispin wrote:
On 05/05/2016 07:38, David Lang wrote:
On Thu, 5 May 2016, John Crispin wrote:
On 04/05/2016 23:38, Kus wrote:
Greetings
I'd like to propose that all commits (at least to master) going
forward be signed with the commiter's gpg key.
https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work
Thoughts?
we could do that. if you look at the keyring.git, you will see that we
already asked those with commit access to submit their gpg keys.
At that point, all you are signing is who merged the work into the tree.
That doesn't give you any information about who created the work.
that is not what i meant. i would like to encourage people sending
patches or PRs to sign those if that is possible.
Is there enough value in this to be worth the hassle?
to my understanding this can be automated using git.
Kus and I had an exchange that ended up going off-list, apologies if I duplicate
things that made it to the list.
Is it acceptable to only have some commits signed and not all?
while git automates the signing after it's all setup, that setup still needs to
be done.
Given the lack of any real ability to tie an online name to a physical person,
what is the value of signing? If it is valuable, why do you allow anything not
to be signed?
how do you handle things via e-mail where the signature either doesn't exist or
can't be transferred?
how do you handle cases where the maintainer needs to fix a merge or otherwise
tweak the submission?
Other than as a gee-wiz we-can-do-that, what's the actual value provided by the
signatures?
David Lang
_______________________________________________
Lede-dev mailing list
Lede-dev@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/lede-dev
