Volkan, if you'd like to continue using git commit sigs, you should also upload your public GPG key to your GitHub account so that it can verify your commits, too. Otherwise, GitHub doesn't exactly import GPG keys from the public web of trust; they only use GPG keys you specify in your profile (whereas they do support X.509 keys when certified by a public CA, but this feature seems a lot more recent than the GPG support).
On Fri, Apr 15, 2022 at 8:25 AM Volkan Yazıcı <vol...@yazi.ci> wrote: > > I couldn't introduce branch protection (aka. RTC review-then-commit) since > Gary was strongly against it. It was just me, Matt, and Carter supporting > the idea; Ralph was also sort of against it. You can search the archives > for details. > > I couldn't even introduce commit signatures. Sigh... > > On Fri, Apr 15, 2022 at 5:34 AM Remko Popma <remko.po...@gmail.com> wrote: > > > I remember we discussed changing our development process to use PRs instead > > of committing directly to the release branches. > > This was part of trying to increase our security score, especially the > > Branch Protection part > > in scorecard (https://github.com/ossf/scorecard/blob/main/docs/checks.md). > > > > Questions: > > * how many approvals did we agree on before a PR can be merged? > > * if a PR is merged into release-2.x, can it be cherry-picked onto 3.0 > > directly, or does the change to the 3.0 branch need a separate PR? > > * what to do with the updates to changes.xml? Does that need to be included > > in the PRs? > >
