Hey list, The current policy is to require GPG signatures on all commits to the git repo. However, a user on git commented [1] that signing every commit is unnecessary and bad practice, and that we should only sign tags or releases. He cited two other pages in his comment. The citations mention automating this. I don't automate anything; I manually type in my private key password for every commit. The idea behind it is to give consistency, trust, and integrity. To ensure that the person commit the change is in fact the person commiting the change. Obviously, I'm "pro-signing." Does everyone else feel the same? Or should we drop the requirement to sign every commit? -Steve