| 1 |
Hi, |
| 2 |
|
| 3 |
On Fri, 3 Jul 2015 11:19:13 -0500 William Hubbs wrote: |
| 4 |
> On Fri, Jul 03, 2015 at 06:34:41AM +0000, Robin H. Johnson wrote: |
| 5 |
> > On Thu, Jul 02, 2015 at 09:46:18PM -0400, Brian Evans wrote: |
| 6 |
> > > Does this mean that https://wiki.gentoo.org/wiki/Gentoo_git_workflow |
| 7 |
> > > is no longer draft or needs work or another document is meant to |
| 8 |
> > > display the new flow? |
| 9 |
> > It does cover most of the things needed. |
| 10 |
> > |
| 11 |
> > It could use some revision regarding gkeys, and I'd like to also mandate |
| 12 |
> > signed pushes in addition to signed commits. |
| 13 |
> |
| 14 |
> A push doesn't create any data, it just uploads it to the repo, so how |
| 15 |
> do you sign a push? |
| 16 |
|
| 17 |
As I see from git docs only commits and tags may be signed. There |
| 18 |
is no way to sign a push. Moreover there is no need to sign each |
| 19 |
commit, see what Linux says on that: |
| 20 |
http://git.661346.n2.nabble.com/GPG-signing-for-git-commit-td2582986.html |
| 21 |
|
| 22 |
'' |
| 23 |
Btw, there's a final reason, and probably the really real one. |
| 24 |
Signing each commit is totally stupid. It just means that you |
| 25 |
automate it, and you make the signature worth less. It also doesn't |
| 26 |
add any real value, since the way the git DAG-chain of SHA1's work, |
| 27 |
you only ever need _one_ signature to make all the commits |
| 28 |
reachable from that one be effectively covered by that one. So |
| 29 |
signing each commit is simply missing the point. |
| 30 |
'' |
| 31 |
|
| 32 |
Best regards, |
| 33 |
Andrew Savchenko |
Archives