Thanks for the quick feedback - makes sense to try and keep frictionless. It occurred to me while verifying the release - working with @vincent to publish his key to avoid this: gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner.
Good enough for the release manager to go through that :) -r On Tue, Jul 10, 2018 at 12:14 PM, Michael Marth <[email protected]> wrote: > +1 to the hurdle. Even in complicated projects people (like me) like to > fix typos in READMEs > > > On 10.07.18, 17:46, "Rob Allen" <[email protected]> wrote: > > > Personally, I only sign tags on the OSS projects I lead. > > If you do it on a per-commit basis, it's yet another hurdle that a > contributor has to go through. That may not be a consideration for > OpenWhisk as it already is a complicated project for the inexperienced to > contribute to. > > Regards, > > Rob > > > On 10 Jul 2018, at 16:41, Rodric Rabbah <[email protected]> wrote: > > > > Who knows why we haven't enabled signed commits on the apache repos - > > should we require all commits to be signed? > > > > -r > > > > Ref: https://help.github.com/articles/signing-commits-using-gpg/ > > > > >
