On Tue, 2026-06-16 at 12:00 +0000, Leigh Scott wrote: > We could make gpg signed git commits mandatory as the first step, > non signed commits could be rejected.
I worry that we're not in a position to enforce signed commits until our Forge(s) can sign commits themselves (e.g. for merges). We'd be limiting ourselves to doing everything locally, when there are security wins to the Forge occasionally taking actions on your behalf, like only allowing commits via Pull Request which I don't think can be enforced if the workflow requires merging locally. https://forge.fedoraproject.org/forge/forge/issues/446 was raised to discuss this, and I've built a proof-of-concept for signing on https://github.com/thebeanogamer/forgejo-siguldry-signing but we can't do that until the signing infrastructure is migrated to Siguldry. -- Daniel Milnes
signature.asc
Description: This is a digitally signed message part
-- _______________________________________________ devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
