hibby writes ("Bug#1115500: git-debpush should override git -c gpg.format"):
> Yep, gpg.format and user.signingkey are both set for the ssh,
> belt-and-braces would be to override both.git-debpush doesn't currently *know* what to override user.signingkey with. I think probably the right answer *for this bug* is to override gpg.format and then if the user has *also* set a user.signingkey and doesn't override the key[1] then the attempt to make a signature will fail? [1] I mean, override uusing a currently-hypothetical option like in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108267#40 so really I mean it will always fail. An alternative could be to *inspect* gpg.format and fail if we don't like the answer and no key override was found. I guess it could *unset* user.signingkey if if finds itself overriding gpg.format? This all seems like too much (a) magic (b) violence. > I had a read earlier based on your email, food for thought. Mmm. > Salsa/Gitlab incentivises signing commits with verified badges - https:// > salsa.debian.org/help/user/project/repository/signed_commits/ssh.md, I quite understand why you followed their lead on this, but I'm afraid my opinion about this is something like: Idiotic corporations under pressure to Do Something about "Supply Chain Security" (spit) add feature which is almost no work for them but asks for extra work from floss maintainers, without consideration of whether the feature is just useless "magic security sprinkles", or indeed, much consideration of anything. (Many will read that and say "story of a security engineer's life".) Ian.
