polygene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Merlin <p...@nosphere.org>
Subject Re: Commit signing?
Date Mon, 02 Nov 2015 14:02:14 GMT
Niclas Hedhman a écrit :
> Drawback, more work...

Sure. Or we state that we require external contributions to be squashed.

> KEYS should also available on pgp.mit.edu
> On Sat, Oct 31, 2015 at 4:24 AM, Paul Merlin <paul@nosphere.org> wrote:
>> Niclas Hedhman a écrit :
>>> Hi,
>>> There are some internal debate about how to ensure provenance in a Git
>> and
>>> GitHub world. I can't say how that discussion is going, but one idea that
>>> surfaced, which we (the projects) can do regardless of the total outcome,
>>> to improve code provenance is to sign our commits.
>>> I first note that IntelliJ doesn't support for commit signing directly.
>>> Secondly, http://mikegerwitz.com/papers/git-horror-story (I hope I typed
>>> that correctly) is a must read.
>>> In that paper, I am specifically talking about Option #3 (as I doubt that
>>> we (Zest) will get too many pull requests that are many commits long)
>>> This seems to be something that can be introduced incrementally and at
>> slow
>>> pace, which is something we like at Apache. Trust enforcement and all of
>>> that can be done later, and perhaps other projects will lead the way...
>>> I would like to hear what people think about this...
>> I think we should sign tags at least/first.
>> I'd be in favor of signing commits.
>> Doing this properly could also mean adding a hook to reject unsigned
>> commits.
>> For external contributions, some Zest commiter will always endup doing
>> the actual code import. I'd be in favor of always squashing such code
>> imports, and have the commiter sign it. For the
>> numerous-commits-pull-request "usecase", it implies a bit of work to get
>> a proper commit message that capture what was spread accross several
>> commits, or request its author to do the squashing.
>> Do you see any drawbacks doing it like this?
>>> P.S. I am now settled in, in Shanghai and just started to work on a new
>>> Zest based app on my spare time, so activity should start to pick up
>> again.
>> P.S. Good! I've been busy with work changes theses weeks. I have good
>> hope that it will calm down a bit.
>> BTW, Niclas key and mine can be found here:
>> https://dist.apache.org/repos/dist/release/zest/KEYS

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message