Re: [Mailman-Developers] Signing commits with gpg

2017-10-25 Thread Stephen J. Turnbull
Mark Sapiro writes: > where linus argues that "Signing each commit is totally stupid." and > that you should sign tags but not commits. I agree with Linus that signing all commits is probably unnecessary because of the SHA1 chain, but I disagree with signing only tags. I think that the theoret

Re: [Mailman-Developers] Signing commits with gpg

2017-10-25 Thread Barry Warsaw
On Oct 25, 2017, at 12:14, Simon Hanna wrote: > > I guess more important would be to sign the releases. At least archlinux > likes to have signatures for source archives and often requests upstream > projects to add this. Definitely. I (try to remember to) sign both tags and releases for Core

Re: [Mailman-Developers] Signing commits with gpg

2017-10-25 Thread Simon Hanna
I guess more important would be to sign the releases. At least archlinux likes to have signatures for source archives and often requests upstream projects to add this. For me as a user it would be more interesting to have a verified release signed by one key that's static rather than a commit

Re: [Mailman-Developers] Signing commits with gpg

2017-10-25 Thread Barry Warsaw
On Oct 24, 2017, at 18:56, Mark Sapiro wrote: > > I remember looking into signing commits when we first switched from bzr > to git because I was used to signing all commits. At that time, it > seemed controversial. See, e.g., >

Re: [Mailman-Developers] Signing commits with gpg

2017-10-24 Thread Mark Sapiro
On 10/24/2017 02:18 PM, Barry Warsaw wrote: > On Oct 24, 2017, at 16:52, Abhilash Raj wrote: >> >> Gitlab now supports verification of commit signatures and it would be >> awesome if we start signing commits. It is a relatively painless process >> and happens automatically with little configuratio

Re: [Mailman-Developers] Signing commits with gpg

2017-10-24 Thread Barry Warsaw
On Oct 24, 2017, at 16:52, Abhilash Raj wrote: > > Gitlab now supports verification of commit signatures and it would be > awesome if we start signing commits. It is a relatively painless process > and happens automatically with little configuration. Very cool that GL has enabled this! Thanks f

[Mailman-Developers] Signing commits with gpg

2017-10-24 Thread Abhilash Raj
Hi All, Gitlab now supports verification of commit signatures and it would be awesome if we start signing commits. It is a relatively painless process and happens automatically with little configuration. Spoofing authors in git is quite easy, actually provided as a command line option (--author,