Hi
On 4/9/24 13:02, Derick Rethans wrote:
It seems that most of the reply to this was positive, although with the
realisation that it wouldn't be a panacea.
I will therefore propose a minimalistic RFC to create this requirement
to sign commits to all branches, in the next few days.
I probably would have prefered requiring *GPG* signing (due to a web of
trust), but GitHub's requirement isn't that granuar (it's either
SSG+GPG, or nothing).
Any other opinions, I'd be delighted to hear them.
Web of trust for PGP is effectively dead since
https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f.
Requiring any type of signature on the commits is fine. The distinct
public keys will build reputation on their own by making good commits.
More signatures is certainly better than fewer. In fact I would find it
sufficient to just *strongly encourage* the regular committers to set up
signing, even without actually enforcing it on GitHub.
Best regards
Tim Düsterhus
