[ciphershed] Re: Requiring GPG Signatures on Git Commits
- From: Rocki Hack <rocki.hack@xxxxxxxxx>
- To: ciphershed@xxxxxxxxxxxxx
- Date: Fri, 13 Jun 2014 15:11:14 +0200
That's fine for core devs committing (merge) to trunk and as long these
commits NEVER change.
But do not force external contributors (and if you commit to your forks) to
sign with gpg,
it's recommended to use "-s".
2014-06-13 14:59 GMT+02:00 Kyle Marek <psppsn96@xxxxxxxxx>:
> On 06/13/2014 08:54 AM, Rocki Hack wrote:
>
> If you trust someone and he signed the commit then you also trust his
> source.
>
> That's my point, though. You don't want a core developer to miss a
> cleverly placed back door and just trust the word of the core developer
> when that back door was there in the first place because someone
> impersonated another developer and the core developer that was reviewing
> the commit had no idea. It helps to prevent a situation like this because
> it's hard to impersonate someone when they sign everything.
>
>
> ------------------------------
>
> At the time of sending this message, I have not been contacted by any
> government official or worker regarding my participation in CipherShed or
> any related project. I have not been asked to supply any information to
> them that may be used to impersonate me nor have I been asked to aid the
> government or it's officials or workers in modifying part of CipherShed or
> any related project. I am not aware of any of my property or anything
> regarding me being bugged, searched, or compromised in any way. Anything
> that accepts PGP encryption or signing should have been cryptographically
> secured with my PGP key.
>
Other related posts:
