[Mailman-Developers] Signing commits with gpg

[Barry Warsaw]

On Oct 24, 2017, at 18:56, Mark Sapiro <mark at msapiro.net> wrote:
> 
> I remember looking into signing commits when we first switched from bzr
> to git because I was used to signing all commits. At that time, it
> seemed controversial. See, e.g.,
> <http://git.661346.n2.nabble.com/GPG-signing-for-git-commit-tp2582986p2583316.html>
> where linus argues that "Signing each commit is totally stupid." and
> that you should sign tags but not commits.
> 
> I don't know enough about the internals of this to have an opinion, and
> as I said I will be signing my commits going forward, and the post I
> link to is over 8 years old and things might have changed, but there it
> is for what it's worth.

I’m not sure that any of the points Linus brings up in that thread have changed, but I’m also not sure how relevant they are to our workflow.  It’s interesting enough that Gitlab is now showing the verified tag for signed commits, although TBH, I’m also not sure how much that buys us in practice.  Still, it’s easy enough to experiment with, so let’s do it and see if it has any practical impact on us, either pro or con.

-Barry

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://mail.python.org/pipermail/mailman-developers/attachments/20171025/4fd90a9d/attachment.sig>