1 |
Hi, |
2 |
|
3 |
On Fri, 3 Jul 2015 11:19:13 -0500 William Hubbs wrote: |
4 |
> On Fri, Jul 03, 2015 at 06:34:41AM +0000, Robin H. Johnson wrote: |
5 |
> > On Thu, Jul 02, 2015 at 09:46:18PM -0400, Brian Evans wrote: |
6 |
> > > Does this mean that https://wiki.gentoo.org/wiki/Gentoo_git_workflow |
7 |
> > > is no longer draft or needs work or another document is meant to |
8 |
> > > display the new flow? |
9 |
> > It does cover most of the things needed. |
10 |
> > |
11 |
> > It could use some revision regarding gkeys, and I'd like to also mandate |
12 |
> > signed pushes in addition to signed commits. |
13 |
> |
14 |
> A push doesn't create any data, it just uploads it to the repo, so how |
15 |
> do you sign a push? |
16 |
|
17 |
As I see from git docs only commits and tags may be signed. There |
18 |
is no way to sign a push. Moreover there is no need to sign each |
19 |
commit, see what Linux says on that: |
20 |
http://git.661346.n2.nabble.com/GPG-signing-for-git-commit-td2582986.html |
21 |
|
22 |
'' |
23 |
Btw, there's a final reason, and probably the really real one. |
24 |
Signing each commit is totally stupid. It just means that you |
25 |
automate it, and you make the signature worth less. It also doesn't |
26 |
add any real value, since the way the git DAG-chain of SHA1's work, |
27 |
you only ever need _one_ signature to make all the commits |
28 |
reachable from that one be effectively covered by that one. So |
29 |
signing each commit is simply missing the point. |
30 |
'' |
31 |
|
32 |
Best regards, |
33 |
Andrew Savchenko |