You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@polygene.apache.org by Paul Merlin <pa...@nosphere.org> on 2015/11/02 15:02:14 UTC

Re: Commit signing?

Niclas Hedhman a écrit :
> Drawback, more work...

Sure. Or we state that we require external contributions to be squashed.

> KEYS should also available on pgp.mit.edu
>
> On Sat, Oct 31, 2015 at 4:24 AM, Paul Merlin <pa...@nosphere.org> wrote:
>
>> Niclas Hedhman a écrit :
>>> Hi,
>>> There are some internal debate about how to ensure provenance in a Git
>> and
>>> GitHub world. I can't say how that discussion is going, but one idea that
>>> surfaced, which we (the projects) can do regardless of the total outcome,
>>> to improve code provenance is to sign our commits.
>>>
>>> I first note that IntelliJ doesn't support for commit signing directly.
>>>
>>> Secondly, http://mikegerwitz.com/papers/git-horror-story (I hope I typed
>>> that correctly) is a must read.
>>>
>>> In that paper, I am specifically talking about Option #3 (as I doubt that
>>> we (Zest) will get too many pull requests that are many commits long)
>>>
>>> This seems to be something that can be introduced incrementally and at
>> slow
>>> pace, which is something we like at Apache. Trust enforcement and all of
>>> that can be done later, and perhaps other projects will lead the way...
>>>
>>> I would like to hear what people think about this...
>> I think we should sign tags at least/first.
>>
>> I'd be in favor of signing commits.
>> Doing this properly could also mean adding a hook to reject unsigned
>> commits.
>>
>> For external contributions, some Zest commiter will always endup doing
>> the actual code import. I'd be in favor of always squashing such code
>> imports, and have the commiter sign it. For the
>> numerous-commits-pull-request "usecase", it implies a bit of work to get
>> a proper commit message that capture what was spread accross several
>> commits, or request its author to do the squashing.
>> Do you see any drawbacks doing it like this?
>>
>>> P.S. I am now settled in, in Shanghai and just started to work on a new
>>> Zest based app on my spare time, so activity should start to pick up
>> again.
>> P.S. Good! I've been busy with work changes theses weeks. I have good
>> hope that it will calm down a bit.
>>
>> BTW, Niclas key and mine can be found here:
>> https://dist.apache.org/repos/dist/release/zest/KEYS
>>
>>
>
>