On Wed 2019-09-18 12:11:12 +0200, john doe wrote: > Git history is paramount, locally you can do what ever you want but > rebasing/merging on what is already pushed is a no go for me.
What is "pushed" ? what if it was pushed to a feature branch? what if
it was sent to the mailing list for a review? What if upstream's policy
is "the master branch *is* a development branch and may change at any
time, i only promise to avoid rollbacks at specific checkpoints (i.e.,
tags)".
Why should the developer not be able to go back and say "hey, this was a
mistake, i think we should do it differently, i sure am glad i caught
that before we released it"?
> I see two reasons why it would be usefull to be able to verify commit:
> - Issue in tag that can be corrected by 'cherry-pick'ing a commit
> While I can verify the signed tag I can not verify the 'cherry-pick'ed
> commit
If you're doing this, and *all* you rely on is that the commit is
signed, you might well have other problems.
For example, there are some commits which are trivially cherry-pickable,
but they only work (that is, "work" means "do what you want them to do")
because of changed behavior from *other* commits were made earlier in
the series.
If you're not shipping a signed release, and you're
backporting/cherry-picking patches without understanding them, and only
relying on the fact that they came from the author, that is not a great
situation.
Again, it doesn't mean that an author's signature (or a committer's
signature) on the commit isn't useful, just that it doesn't really
perform the kind of verification that i think you're suggesting it does.
> - Merging a local branch with upstream
> The command 'git pull' will do a 'git fetch' followed by 'git merge'
i don't see how signed commits help you here, sorry.
> I guess what I'm trying to say is that if the commit is not signed you
> can't be sure who made the commit.
Right, that's true. And even if a commit is signed, all you can be sure
is that someone with access to the cryptographic token in question made
the commit, not that it is a sensible commit for you to cherry-pick.
--dkg
signature.asc
Description: PGP signature
_______________________________________________ enigmail-users mailing list enigmail-users@enigmail.net To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
