[Mailman-Developers] Signing commits with gpg
Mark Sapiro
mark at msapiro.net
Tue Oct 24 18:56:23 EDT 2017
On 10/24/2017 02:18 PM, Barry Warsaw wrote:
> On Oct 24, 2017, at 16:52, Abhilash Raj <maxking at asynchronous.in> wrote:
>>
>> Gitlab now supports verification of commit signatures and it would be
>> awesome if we start signing commits. It is a relatively painless process
>> and happens automatically with little configuration.
>
> Very cool that GL has enabled this! Thanks for sending the recipe too. I definitely encourage folks (especially core devs) to start signing commits.
I have set my .gitconfig to automatically sign commits (I already had my
signingkey in the [user] section, but I didn't have [commit] gpgsign =
true which I now do).
I remember looking into signing commits when we first switched from bzr
to git because I was used to signing all commits. At that time, it
seemed controversial. See, e.g.,
<http://git.661346.n2.nabble.com/GPG-signing-for-git-commit-tp2582986p2583316.html>
where linus argues that "Signing each commit is totally stupid." and
that you should sign tags but not commits.
I don't know enough about the internals of this to have an opinion, and
as I said I will be signing my commits going forward, and the post I
link to is over 8 years old and things might have changed, but there it
is for what it's worth.
--
Mark Sapiro <mark at msapiro.net> The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://mail.python.org/pipermail/mailman-developers/attachments/20171024/2cd6856c/attachment.sig>
More information about the Mailman-Developers
mailing list