On Sat, Apr 26, 2014 at 11:29:39AM +0100, Ben Laurie wrote: > I just noticed that if I merge a pull request, then both author and > committer are set to whoever made the pull request.
Are you using github, or git using its standard pull request workflow? In the standard git workflow, the author and committer is set to the person who merged the pull. The person who requested the pull request is recorded in the signed git tag. For example, I recently signed a git tag: % git tag -s ext4_for_linus_stable <Insert smart card, type the pin to create the GPG signed tag> % git push ssh://gitol...@ra.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git tags/ext4_for_linus_stable <Type pin to unlock the ssh key, which is also on the smart card> % git request-pull origin git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git tags/ext4_for_linus_stable > /tmp/pull (I have aliases and shell scripts for most of this, but I've expanded all of this out for clarity.) Then I e-mailed the following to Linus, and then after he merged the pull request, when I pulled down his tree, tou can see the following: % git show --pretty=fuller --show-signature origin commit 9ac03675010a69507c0a9d832d6a722e07d35cc6 merged tag 'ext4_for_linus_stable' gpg: Signature made Sun 20 Apr 2014 10:23:16 PM EDT using RSA key ID C11804F0 gpg: Good signature from "Theodore Ts'o <ty...@mit.edu>" gpg: aka "Theodore Ts'o <ty...@debian.org>" gpg: aka "Theodore Ts'o <ty...@google.com>" Merge: a798c10 0a04b24 Author: Linus Torvalds <torva...@linux-foundation.org> AuthorDate: Sun Apr 20 20:43:47 2014 -0700 Commit: Linus Torvalds <torva...@linux-foundation.org> CommitDate: Sun Apr 20 20:43:47 2014 -0700 Merge tag 'ext4_for_linus_stable' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext Pull ext4 fixes from Ted Ts'o: "These are regression and bug fixes for ext4. We had a number of new features in ext4 during this merge window (ZERO_RANGE and COLLAPSE_RANGE fallocate modes, renameat, etc.) so there were many more regression and bug fixes this time around. It didn't help that xfstests hadn't been fully updated to fully stress test COLLAPSE_RANGE until after -rc1" * tag 'ext4_for_linus_stable' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4: ( .... The advantage of doing this way is that git will detach the signature from the tag, and save it in the merge conflict, so years later, the cryptographic accountability chain is preserved in the git tree. Cheers, - Ted ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org