Steffen Nurpmeso wrote this message on Fri, Dec 18, 2020 at 19:28 +0100: > Brooks Davis wrote in > <20201218175241.GA72552_at_spindle.one-eyed-alien.net>: > |On Thu, Dec 17, 2020 at 05:53:20PM -0800, Thomas Mueller wrote: > |>>> I hope we don't have to start signing all commits. saltstack/salt has > |>>> that policy, and it's extremely annoying. > |> > |>> Have to? Not currently. As with all process changes, there will be > |>> community discussion around the different points. > |> > |>> Warner > |> > |> I hope not! > |> > |> Signatures, at least in email messages, are just an annoyance as \ > |> I see them. > |> > |> I don't even know how do sign an email message or make use of a signatur\ > |> e in a message I receive. > |> > |> I have never made a commit to a repository, so would not be familiar \ > |> with signatures there; imagine it would be a barrier. > | > |Signed commits have no practicl effect on users of a repo. > > Well you can verify integrity of a repository regardless of how it > was distributed, this is why it is done, right. > > #?0$ git log --oneline --show-signature -1 v14.9.20.ar > 16a21755 (...) > gpg: Signature made Sun 13 Dec 2020 12:43:44 AM CET > gpg: using RSA key DF082F6AEEC8C2FF > gpg: Good signature from "Steffen Nurpmeso <steffen_at_sdaoden.eu>" > Bump S-nail v14.9.20.ar ("Sombre Tit (Trauermeise)"), 2020-12-12 > > #?0$ git tag -v v14.9.20.ar; echo $? > object 16a21755fd1fade2b15fdb78a592f12169c3453f > type commit > tag v14.9.20.ar > tagger Steffen Nurpmeso <steffen_at_sdaoden.eu> 1607816624 +0100 > > Bump S-nail v14.9.20.ar ("Sombre Tit (Trauermeise)"), 2020-12-12 > gpg: Signature made Sun 13 Dec 2020 12:43:44 AM CET > gpg: using RSA key DF082F6AEEC8C2FF > gpg: Good signature from "Steffen Nurpmeso <steffen_at_sdaoden.eu>" > 0 TL;DR I don't see any reason for devs to sign commits. I could see use for RE (or another entity) to occasionally (weekly?) sign the repo (say COPYRIGHT or UPDATING), and it would be nice for them to sign all the tags used for releases, but having every dev would both make the dev's life difficult... It's also hard to collect ALL the keys of the devs at any point in time to decide if that key is authorized to sign a commit in the repo... Like if a dev starts in 2021, any commits made by that dev prior to 2021 should not be "valid".. Then there's also the issue that people's keys change over time, and now you need to know what time period each key was valid for, otherwise a compromised key could be used to insert malicious changes into your/the tree... Then there's also the point that the repo is (looks like it) using SHA-1 hashes, which are effectively broken, so depending upon them to validate the tree is questionable anyways. -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not."Received on Wed Dec 23 2020 - 01:32:53 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:26 UTC