> Op 6 april 2016 om 10:50 schreef Daan Hoogland <daan.hoogl...@gmail.com>: > > > Good reading for the Wednesday morning;) yes I think we need to go there > and maybe even ask it of our contributors. >
It might please the ASF since we can now prove who made the commit. If we ask all committers to upload their public key and sign their commits we can check this. For Pull Requests we can probably also add a hook/check which verifies if a signature is present. Wido > On Wed, Apr 6, 2016 at 9:28 AM, Wido den Hollander <w...@widodh.nl> wrote: > > > Hi, > > > > Github just added [0] support for verifying GPG signatures of Git commits > > to the > > web interface. > > > > Under the settings page [1] you can now add your public GPG key so Github > > can > > verify it. > > > > It's rather simple: > > > > $ gpg --armor --export w...@widodh.nl > > > > That gave me my public key which I could export. > > > > Git already supports signing [2] commits with your key. > > > > This makes me wonder, is this something we want to enforce? To me it seems > > like > > a good thing to have. > > > > Wido > > > > [0]: https://github.com/blog/2144-gpg-signature-verification > > [1]: https://github.com/settings/keys > > [2]: https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work > > > > > > -- > Daan
