1 |
On 11 May 2016 at 00:04, Alexis Ballier <aballier@g.o> wrote: |
2 |
> well, then I can commit crap with --author mrp@g.o and claim he |
3 |
> made me rebase it :) |
4 |
|
5 |
|
6 |
Well, if you're going down that line ... |
7 |
|
8 |
You don't rebase it, you just merge it, than then mrp claims obama |
9 |
forced his hand to write the commit at gunpoint and sign it, and |
10 |
that's why he is both --author and --committer |
11 |
|
12 |
That's obviously silly talk :D |
13 |
|
14 |
You put your name on it with your GPG key, then the responsibility |
15 |
beyond that point is a social one, not a technical one. |
16 |
|
17 |
The person who signed via GPG still holds the "Technical responsibility" :) |
18 |
|
19 |
>I understand gpg signing of commits as a way to guarantee author is |
20 |
> correctly set and claims the commit. |
21 |
|
22 |
No. GPG commit signing only guarantees "committer". That's why git |
23 |
rebase re-writes committer as well as re-signing it. |
24 |
|
25 |
The committer metadata itself is no real guarantee either, because you |
26 |
can twiddle COMMIT env vars and change that on a whim, so I could |
27 |
forge a commit authored by mrp and committed by aballier ... and |
28 |
unless you checked the GPG sig, you'd never know that I made it. |
29 |
|
30 |
But by design, the signature only indicates who the person was who |
31 |
*committed* a commit, it can never indicate the true author. |
32 |
|
33 |
For instance, a commit *could* in theory be authored by somebody who |
34 |
has no access to a computer, and I could copy-paste that data and |
35 |
upload it. |
36 |
|
37 |
The true author would never be known /unless/ I forged author data, |
38 |
but I sure was the person who committed it. |
39 |
|
40 |
And "Commit responsibility" is what we're trying to regulate here. |
41 |
"Author metadata" is just for attribution/credits sake, and a *weak* |
42 |
responsibility. |
43 |
|
44 |
|
45 |
-- |
46 |
Kent |
47 |
|
48 |
KENTNL - https://metacpan.org/author/KENTNL |