Re: HEADS UP: FreeBSD src repo transitioning to git this weekend

From: Brooks Davis <brooks_at_freebsd.org>
Date: Wed, 23 Dec 2020 17:01:32 +0000
On Tue, Dec 22, 2020 at 06:32:43PM -0800, John-Mark Gurney wrote:
> Steffen Nurpmeso wrote this message on Fri, Dec 18, 2020 at 19:28 +0100:
> > Brooks Davis wrote in
> >  <20201218175241.GA72552_at_spindle.one-eyed-alien.net>:
> >  |On Thu, Dec 17, 2020 at 05:53:20PM -0800, Thomas Mueller wrote:
> >  |>>> I hope we don't have to start signing all commits.  saltstack/salt has
> >  |>>> that policy, and it's extremely annoying.
> >  |> 
> >  |>> Have to? Not currently. As with all process changes, there will be
> >  |>> community discussion around the different points.
> >  |> 
> >  |>> Warner
> >  |> 
> >  |> I hope not!
> >  |> 
> >  |> Signatures, at least in email messages, are just an annoyance as \
> >  |> I see them.
> >  |> 
> >  |> I don't even know how do sign an email message or make use of a signatur\
> >  |> e in a message I receive.
> >  |> 
> >  |> I have never made a commit to a repository, so would not be familiar \
> >  |> with signatures there; imagine it would be a barrier.
> >  |
> >  |Signed commits have no practicl effect on users of a repo.
> > 
> > Well you can verify integrity of a repository regardless of how it
> > was distributed, this is why it is done, right.
> > 
> >   #?0$ git log --oneline --show-signature -1 v14.9.20.ar
> >   16a21755 (...)
> >   gpg: Signature made Sun 13 Dec 2020 12:43:44 AM CET
> >   gpg:                using RSA key DF082F6AEEC8C2FF
> >   gpg: Good signature from "Steffen Nurpmeso <steffen_at_sdaoden.eu>"
> >   Bump S-nail v14.9.20.ar ("Sombre Tit (Trauermeise)"), 2020-12-12
> > 
> >   #?0$ git tag -v v14.9.20.ar; echo $?
> >   object 16a21755fd1fade2b15fdb78a592f12169c3453f
> >   type commit
> >   tag v14.9.20.ar
> >   tagger Steffen Nurpmeso <steffen_at_sdaoden.eu> 1607816624 +0100
> >   
> >   Bump S-nail v14.9.20.ar ("Sombre Tit (Trauermeise)"), 2020-12-12
> >   gpg: Signature made Sun 13 Dec 2020 12:43:44 AM CET
> >   gpg:                using RSA key DF082F6AEEC8C2FF
> >   gpg: Good signature from "Steffen Nurpmeso <steffen_at_sdaoden.eu>"
> >   0
> 
> TL;DR I don't see any reason for devs to sign commits.
> 
> I could see use for RE (or another entity) to occasionally (weekly?)
> sign the repo (say COPYRIGHT or UPDATING), and it would be nice for
> them to sign all the tags used for releases, but having every dev
> would both make the dev's life difficult...

I think RE signing releases makes some sense.  Routine signing of commits
eliminates lots of potentially useful workflows if you also want linear
history.  In particular it makes it impractical to implement any form of
commit-automatically-after-CI type workflows because rebase looses the
signature.

-- Brooks

Received on Wed Dec 23 2020 - 16:01:35 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:26 UTC