On Thu, Jun 12, 2014 at 4:53 PM, Stephen R Guglielmo <srguglielmo@xxxxxxxxx> wrote: > Hey list, > > The current policy is to require GPG signatures on all commits to the > git repo. However, a user on git commented [1] that signing every > commit is unnecessary and bad practice, and that we should only sign > tags or releases. He cited two other pages in his comment. > > The citations mention automating this. I don't automate anything; I > manually type in my private key password for every commit. The idea > behind it is to give consistency, trust, and integrity. To ensure that > the person commit the change is in fact the person commiting the > change. > > Obviously, I'm "pro-signing." Does everyone else feel the same? Or > should we drop the requirement to sign every commit? > > -Steve Oops, forgot to include the link. https://github.com/CipherShed/CipherShed/issues/3#issuecomment-45879359