Drawback, more work... KEYS should also available on pgp.mit.edu
On Sat, Oct 31, 2015 at 4:24 AM, Paul Merlin <[email protected]> wrote: > Niclas Hedhman a écrit : > > Hi, > > There are some internal debate about how to ensure provenance in a Git > and > > GitHub world. I can't say how that discussion is going, but one idea that > > surfaced, which we (the projects) can do regardless of the total outcome, > > to improve code provenance is to sign our commits. > > > > I first note that IntelliJ doesn't support for commit signing directly. > > > > Secondly, http://mikegerwitz.com/papers/git-horror-story (I hope I typed > > that correctly) is a must read. > > > > In that paper, I am specifically talking about Option #3 (as I doubt that > > we (Zest) will get too many pull requests that are many commits long) > > > > This seems to be something that can be introduced incrementally and at > slow > > pace, which is something we like at Apache. Trust enforcement and all of > > that can be done later, and perhaps other projects will lead the way... > > > > I would like to hear what people think about this... > I think we should sign tags at least/first. > > I'd be in favor of signing commits. > Doing this properly could also mean adding a hook to reject unsigned > commits. > > For external contributions, some Zest commiter will always endup doing > the actual code import. I'd be in favor of always squashing such code > imports, and have the commiter sign it. For the > numerous-commits-pull-request "usecase", it implies a bit of work to get > a proper commit message that capture what was spread accross several > commits, or request its author to do the squashing. > Do you see any drawbacks doing it like this? > > > P.S. I am now settled in, in Shanghai and just started to work on a new > > Zest based app on my spare time, so activity should start to pick up > again. > P.S. Good! I've been busy with work changes theses weeks. I have good > hope that it will calm down a bit. > > BTW, Niclas key and mine can be found here: > https://dist.apache.org/repos/dist/release/zest/KEYS > > -- Niclas Hedhman, Software Developer http://zest.apache.org - New Energy for Java
