polygene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Niclas Hedhman <nic...@hedhman.org>
Subject Re: Commit signing?
Date Sat, 31 Oct 2015 01:46:26 GMT
Drawback, more work...

KEYS should also available on pgp.mit.edu

On Sat, Oct 31, 2015 at 4:24 AM, Paul Merlin <paul@nosphere.org> wrote:

> Niclas Hedhman a écrit :
> > Hi,
> > There are some internal debate about how to ensure provenance in a Git
> and
> > GitHub world. I can't say how that discussion is going, but one idea that
> > surfaced, which we (the projects) can do regardless of the total outcome,
> > to improve code provenance is to sign our commits.
> >
> > I first note that IntelliJ doesn't support for commit signing directly.
> >
> > Secondly, http://mikegerwitz.com/papers/git-horror-story (I hope I typed
> > that correctly) is a must read.
> >
> > In that paper, I am specifically talking about Option #3 (as I doubt that
> > we (Zest) will get too many pull requests that are many commits long)
> >
> > This seems to be something that can be introduced incrementally and at
> slow
> > pace, which is something we like at Apache. Trust enforcement and all of
> > that can be done later, and perhaps other projects will lead the way...
> >
> > I would like to hear what people think about this...
> I think we should sign tags at least/first.
>
> I'd be in favor of signing commits.
> Doing this properly could also mean adding a hook to reject unsigned
> commits.
>
> For external contributions, some Zest commiter will always endup doing
> the actual code import. I'd be in favor of always squashing such code
> imports, and have the commiter sign it. For the
> numerous-commits-pull-request "usecase", it implies a bit of work to get
> a proper commit message that capture what was spread accross several
> commits, or request its author to do the squashing.
> Do you see any drawbacks doing it like this?
>
> > P.S. I am now settled in, in Shanghai and just started to work on a new
> > Zest based app on my spare time, so activity should start to pick up
> again.
> P.S. Good! I've been busy with work changes theses weeks. I have good
> hope that it will calm down a bit.
>
> BTW, Niclas key and mine can be found here:
> https://dist.apache.org/repos/dist/release/zest/KEYS
>
>


-- 
Niclas Hedhman, Software Developer
http://zest.apache.org - New Energy for Java

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message