Replies: 3 comments 5 replies
-
I don't always have my gpg key on me. It would certainly make things a lot more difficult for me. I think it also would break things like squash and rebase making the project more annoying for pull requests. I'm of the opinion it's not worth it. |
Beta Was this translation helpful? Give feedback.
-
The other thing is having signed commits turned on doesn't prevent a long drawn out attack like xz, it just is a bigger barrier to entry to genuine contributors. I think the only thing it really helps is to prove no identity theft occurred. |
Beta Was this translation helpful? Give feedback.
-
Just chiming in out of experience, I started using this feature by default myself once SSH keys were enabled for support when signing commits. It eases a lot of the burdens that GPG can sometimes introduce. GitHub's documentation attached below but this is supported on most other platforms as well since it is built into git as of v2.34. In terms of making it a strong key, passphrases would be recommended and an agent can be used to alleviate the burden of management there as well. With regards to squashing and rebasing, these are signed as well depending on your configuration and approach. Local rebases for me are always signed and when I merge PRs, I squash and merge which GitHub will sign when adding to the commit tree, even if the commits in the pull request are not signed. Just two cents from a wanderer here 👋🏼, if this can be introduced without impacting the core contributors too much, I think it's worth it. |
Beta Was this translation helpful? Give feedback.
-
In light of the xz issue recently, I wondered if we should enforce signed commits, e.g.
git config commit.gpgsign true
-- maybe it's something we could add to./contrib/setup
? I don't know if that complicates things from a new contributor point of view, but givem @superm1 and I seem to be doing a lot of the heavy lifting just asking the core contributors to have this turned on would be a great start.Beta Was this translation helpful? Give feedback.
All reactions