Niclas Hedhman a écrit : > Drawback, more work... Sure. Or we state that we require external contributions to be squashed.
> KEYS should also available on pgp.mit.edu > > On Sat, Oct 31, 2015 at 4:24 AM, Paul Merlin <[email protected]> wrote: > >> Niclas Hedhman a écrit : >>> Hi, >>> There are some internal debate about how to ensure provenance in a Git >> and >>> GitHub world. I can't say how that discussion is going, but one idea that >>> surfaced, which we (the projects) can do regardless of the total outcome, >>> to improve code provenance is to sign our commits. >>> >>> I first note that IntelliJ doesn't support for commit signing directly. >>> >>> Secondly, http://mikegerwitz.com/papers/git-horror-story (I hope I typed >>> that correctly) is a must read. >>> >>> In that paper, I am specifically talking about Option #3 (as I doubt that >>> we (Zest) will get too many pull requests that are many commits long) >>> >>> This seems to be something that can be introduced incrementally and at >> slow >>> pace, which is something we like at Apache. Trust enforcement and all of >>> that can be done later, and perhaps other projects will lead the way... >>> >>> I would like to hear what people think about this... >> I think we should sign tags at least/first. >> >> I'd be in favor of signing commits. >> Doing this properly could also mean adding a hook to reject unsigned >> commits. >> >> For external contributions, some Zest commiter will always endup doing >> the actual code import. I'd be in favor of always squashing such code >> imports, and have the commiter sign it. For the >> numerous-commits-pull-request "usecase", it implies a bit of work to get >> a proper commit message that capture what was spread accross several >> commits, or request its author to do the squashing. >> Do you see any drawbacks doing it like this? >> >>> P.S. I am now settled in, in Shanghai and just started to work on a new >>> Zest based app on my spare time, so activity should start to pick up >> again. >> P.S. Good! I've been busy with work changes theses weeks. I have good >> hope that it will calm down a bit. >> >> BTW, Niclas key and mine can be found here: >> https://dist.apache.org/repos/dist/release/zest/KEYS >> >> > >
