polygene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Niclas Hedhman <nic...@hedhman.org>
Subject Commit signing?
Date Wed, 28 Oct 2015 01:32:54 GMT
There are some internal debate about how to ensure provenance in a Git and
GitHub world. I can't say how that discussion is going, but one idea that
surfaced, which we (the projects) can do regardless of the total outcome,
to improve code provenance is to sign our commits.

I first note that IntelliJ doesn't support for commit signing directly.

Secondly, http://mikegerwitz.com/papers/git-horror-story (I hope I typed
that correctly) is a must read.

In that paper, I am specifically talking about Option #3 (as I doubt that
we (Zest) will get too many pull requests that are many commits long)

This seems to be something that can be introduced incrementally and at slow
pace, which is something we like at Apache. Trust enforcement and all of
that can be done later, and perhaps other projects will lead the way...

I would like to hear what people think about this...


P.S. I am now settled in, in Shanghai and just started to work on a new
Zest based app on my spare time, so activity should start to pick up again.

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message