On Wed, Feb 17, 2016 at 8:26 AM Jesse McConnell <[email protected]> wrote:
git commit -s > > that adds the required bit > Sure, I'm familiar with signed commits in Git. Think of it like this, you sign a CLA with eclipse that says you are > cleared to contribute to eclipse, but that doesn't mean everything you ever > do can be contributed....adding that -s on the commit communicates that you > are making that commit under the auspices of your agreement. > Makes sense in light of the fact that Git authors and committers are easily forged. Presumably you want the signature to provide some additional assurance of the identity of the contributor; specifically, that the commit was made by someone with a CLA. Unfortunately the metadata on a PGP key is just as easily forgeable as Git metadata; without some additional steps to verify keys, the signature won't provide any additional assurance of identity. I'm sure you folks know all this and you will require keys to be signed by a trusted party, which would provide the trust framework for the assurance you're after. I mostly wanted to point out that the trust model is an important practical consideration that ought to be documented clearly. Best, Marvin
_______________________________________________ jetty-users mailing list [email protected] To change your delivery options, retrieve your password, or unsubscribe from this list, visit https://dev.eclipse.org/mailman/listinfo/jetty-users
