| 1 |
On 2018-06-14 21:55, kuzetsa wrote: |
| 2 |
> for non-developers who already contribute using a |
| 3 |
> git-based workflow, all github does (for example: for me |
| 4 |
> in-particular) is provide a convenient way to validate |
| 5 |
> that the commit was made by me and not someone else. |
| 6 |
> |
| 7 |
> so long as repoman's default requirement that commits |
| 8 |
> should be signed, the github infrastructure knows which |
| 9 |
> PGP key is mine, and marks my commits as verified. for my |
| 10 |
> comfort, the increased effort to use a different workflow |
| 11 |
> (switching infra for git pushes) would be trivial, but |
| 12 |
> the burden is still a burden. a needless burden. |
| 13 |
|
| 14 |
GitHub's feature to display "verified" status has zero meaning for the |
| 15 |
Gentoo project. We only trust our own key store. |
| 16 |
|
| 17 |
But this all doesn't matter: |
| 18 |
GitLab for example offers a similar feature. I.e. you can add your |
| 19 |
public key to your GitLab.com account like you did with your GitHub.com |
| 20 |
account and GitLab will display the same "verified" indicator. |
| 21 |
|
| 22 |
|
| 23 |
-- |
| 24 |
Regards, |
| 25 |
Thomas Deutschmann / Gentoo Linux Developer |
| 26 |
C4DD 695F A713 8F24 2AA1 5638 5849 7EE5 1D5D 74A5 |
Archives