On Tue, 2026-06-16 at 12:00 +0000, Leigh Scott wrote:
> We could make gpg signed git commits mandatory as the first step, 
> non signed commits could be rejected.

I worry that we're not in a position to enforce signed commits until 
our Forge(s) can sign commits themselves (e.g. for merges).

We'd be limiting ourselves to doing everything locally, when there are
security wins to the Forge occasionally taking actions on your behalf,
like only allowing commits via Pull Request which I don't think can be 
enforced if the workflow requires merging locally.

https://forge.fedoraproject.org/forge/forge/issues/446 was raised to
discuss this, and I've built a proof-of-concept for signing on 
https://github.com/thebeanogamer/forgejo-siguldry-signing but we can't
do that until the signing infrastructure is migrated to Siguldry.

-- 
Daniel Milnes

Attachment: signature.asc
Description: This is a digitally signed message part

-- 
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://forge.fedoraproject.org/infra/tickets/issues/new

Reply via email to