Re: [Mailman-Developers] Signing commits with gpg

[Stephen J. Turnbull]

Mark Sapiro writes:

 > where linus argues that "Signing each commit is totally stupid." and
 > that you should sign tags but not commits.

I agree with Linus that signing all commits is probably unnecessary
because of the SHA1 chain, but I disagree with signing only tags.  I
think that the theoretical sweet spot is signing merge commits (or
branch head in case of a fast-forward) at push time.

But pragmatically that's too annoying (requires user decision AFAIK,
easy to omit, etc), so autosigning every commit FTW IMHO.

Steve


___
Mailman-Developers mailing list
Mailman-Developers@python.org
https://mail.python.org/mailman/listinfo/mailman-developers
Mailman FAQ: http://wiki.list.org/x/AgA3
Searchable Archives: 
http://www.mail-archive.com/mailman-developers%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-developers/archive%40jab.org

Security Policy: http://wiki.list.org/x/QIA9

Re: [Mailman-Developers] Signing commits with gpg

[Barry Warsaw]

On Oct 25, 2017, at 12:14, Simon Hanna  wrote:
> 
> I guess more important would be to sign the releases. At least archlinux 
> likes to have signatures for source archives and often requests upstream 
> projects to add this.

Definitely.  I (try to remember to) sign both tags and releases for Core.

> Another thing that just came to mind: how does commit squashing work? You'll 
> probably have to do that offline and not use gitlabs autosmashing…

I would think that squash merges would destroy the record of any intermediate 
signed commits.  Core doesn’t have a firm policy either way; sometimes I squash 
merge sometimes not.  I’m philosophical   opposed to squash merging, but git 
often really makes me want to do it anyway.

-Barry



signature.asc
Description: Message signed with OpenPGP
___
Mailman-Developers mailing list
Mailman-Developers@python.org
https://mail.python.org/mailman/listinfo/mailman-developers
Mailman FAQ: http://wiki.list.org/x/AgA3
Searchable Archives: 
http://www.mail-archive.com/mailman-developers%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-developers/archive%40jab.org

Security Policy: http://wiki.list.org/x/QIA9

Re: [Mailman-Developers] Signing commits with gpg

[Simon Hanna]

I guess more important would be to sign the releases. At least archlinux likes 
to have signatures for source archives and often requests upstream projects to 
add this. 

For me as a user it would be more interesting to have a verified release signed 
by one key that's static rather than a commit history that is signed by many 
different keys that I don't know. 
I guess the single commit signature is more relevant to other developers, so we 
know who actually committed something. However, if all commits to the master 
branches come from merge requests, you already use gitlabs verification. It's 
not as good as gpg signatures, but in the end you have to trust gitlab to a 
certain degree anyway...

Another thing that just came to mind: how does commit squashing work? You'll 
probably have to do that offline and not use gitlabs autosmashing...

I don't have anything against it and I can also rather easily start doing that. 
(I will have to have my keychain nearby, as I don't have my keys stored on my 
machines...)
-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
___
Mailman-Developers mailing list
Mailman-Developers@python.org
https://mail.python.org/mailman/listinfo/mailman-developers
Mailman FAQ: http://wiki.list.org/x/AgA3
Searchable Archives: 
http://www.mail-archive.com/mailman-developers%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-developers/archive%40jab.org

Security Policy: http://wiki.list.org/x/QIA9

Re: [Mailman-Developers] Signing commits with gpg

[Barry Warsaw]

On Oct 24, 2017, at 18:56, Mark Sapiro  wrote:
> 
> I remember looking into signing commits when we first switched from bzr
> to git because I was used to signing all commits. At that time, it
> seemed controversial. See, e.g.,
> 
> where linus argues that "Signing each commit is totally stupid." and
> that you should sign tags but not commits.
> 
> I don't know enough about the internals of this to have an opinion, and
> as I said I will be signing my commits going forward, and the post I
> link to is over 8 years old and things might have changed, but there it
> is for what it's worth.

I’m not sure that any of the points Linus brings up in that thread have 
changed, but I’m also not sure how relevant they are to our workflow.  It’s 
interesting enough that Gitlab is now showing the verified tag for signed 
commits, although TBH, I’m also not sure how much that buys us in practice.  
Still, it’s easy enough to experiment with, so let’s do it and see if it has 
any practical impact on us, either pro or con.

-Barry



signature.asc
Description: Message signed with OpenPGP
___
Mailman-Developers mailing list
Mailman-Developers@python.org
https://mail.python.org/mailman/listinfo/mailman-developers
Mailman FAQ: http://wiki.list.org/x/AgA3
Searchable Archives: 
http://www.mail-archive.com/mailman-developers%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-developers/archive%40jab.org

Security Policy: http://wiki.list.org/x/QIA9