[ciphershed] Requiring GPG Signatures on Git Commits
- From: Stephen R Guglielmo <srguglielmo@xxxxxxxxx>
- To: ciphershed@xxxxxxxxxxxxx
- Date: Thu, 12 Jun 2014 16:53:11 -0400
Hey list,
The current policy is to require GPG signatures on all commits to the
git repo. However, a user on git commented [1] that signing every
commit is unnecessary and bad practice, and that we should only sign
tags or releases. He cited two other pages in his comment.
The citations mention automating this. I don't automate anything; I
manually type in my private key password for every commit. The idea
behind it is to give consistency, trust, and integrity. To ensure that
the person commit the change is in fact the person commiting the
change.
Obviously, I'm "pro-signing." Does everyone else feel the same? Or
should we drop the requirement to sign every commit?
-Steve
Other related posts:
