polygene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Merlin <p...@nosphere.org>
Subject Re: Commit signing?
Date Fri, 30 Oct 2015 20:24:00 GMT
Niclas Hedhman a écrit :
> Hi,
> There are some internal debate about how to ensure provenance in a Git and
> GitHub world. I can't say how that discussion is going, but one idea that
> surfaced, which we (the projects) can do regardless of the total outcome,
> to improve code provenance is to sign our commits.
> I first note that IntelliJ doesn't support for commit signing directly.
> Secondly, http://mikegerwitz.com/papers/git-horror-story (I hope I typed
> that correctly) is a must read.
> In that paper, I am specifically talking about Option #3 (as I doubt that
> we (Zest) will get too many pull requests that are many commits long)
> This seems to be something that can be introduced incrementally and at slow
> pace, which is something we like at Apache. Trust enforcement and all of
> that can be done later, and perhaps other projects will lead the way...
> I would like to hear what people think about this...
I think we should sign tags at least/first.

I'd be in favor of signing commits.
Doing this properly could also mean adding a hook to reject unsigned

For external contributions, some Zest commiter will always endup doing
the actual code import. I'd be in favor of always squashing such code
imports, and have the commiter sign it. For the
numerous-commits-pull-request "usecase", it implies a bit of work to get
a proper commit message that capture what was spread accross several
commits, or request its author to do the squashing.
Do you see any drawbacks doing it like this?

> P.S. I am now settled in, in Shanghai and just started to work on a new
> Zest based app on my spare time, so activity should start to pick up again.
P.S. Good! I've been busy with work changes theses weeks. I have good
hope that it will calm down a bit.
BTW, Niclas key and mine can be found here:

View raw message