| 1 |
On Tue, Jun 14, 2016 at 10:41:38AM +0200, Alexander Berntsen wrote: |
| 2 |
> Friends, |
| 3 |
> |
| 4 |
> I saw Brian asking Michał to OpenPGP-sign his commits in IRC, to which |
| 5 |
> Michał quipped that we would have if it were enforced. So perhaps we |
| 6 |
> should just enforce it. Most of us do it -- but I see Zac not doing it |
| 7 |
> sometimes, seemingly at random. In any event, I don't think there's a |
| 8 |
> good reason *not* to sign things. |
| 9 |
> |
| 10 |
> What do you think? And what's the procedure/who do we talk to, to get |
| 11 |
> a pre-push hook set up to enforce it? |
| 12 |
A pre-push hook would only do it locally for you, it wouldn't enforce it |
| 13 |
on the server side. |
| 14 |
|
| 15 |
Please file a bug to have infra turn it on for the repos you want |
| 16 |
(specify them in the bug). |
| 17 |
|
| 18 |
Here's the actual hook that's used: |
| 19 |
https://github.com/gentoo/git-gx86-tools/blob/master/hooks/dev-git/update-02-gpg |
| 20 |
Note that it only verifies on the master branch, and for merges, only |
| 21 |
the merge-commit onto master is verified. |
| 22 |
|
| 23 |
-- |
| 24 |
Robin Hugh Johnson |
| 25 |
Gentoo Linux: Dev, Infra Lead, Foundation Trustee & Treasurer |
| 26 |
E-Mail : robbat2@g.o |
| 27 |
GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85 |
| 28 |
GnuPG FP : 7D0B3CEB E9B85B1F 825BCECF EE05E6F6 A48F6136 |
Archives