On Tue 2019-09-17 18:55:53 +0200, john doe wrote: > Do you mind explaining why you are against signing commits?
I'd like to understand what your proposed use case and value proposition is for signed commits. I can justify my call for signed tags -- i want to have cryptographic provenenance for any software release that i package for debian. Note that i want to package a *release* though -- not just some arbitrary (possibly buggy) stage on the way to a release. do you believe that branch rebases ("changing history") are acceptable steps for free software developers to take in pursuit of a cleaner git history? Who do you expect to verify the signatures on the signed commits? when should they verify them? what specific tests should they perform on the signatures (e.g. "monotonically increasing in time", "signature timestamp matches commit message timestamp", "author is from specific set", "no existing commits ever disappear", etc) I'm not saying that signed commits are never warranted -- i'm just not sure what the specific hope is, and what kinds of attacks you hope to mitigate, and how that practice applies to jsunit itself, since that's what's under discussion here. --dkg
signature.asc
Description: PGP signature
_______________________________________________ enigmail-users mailing list enigmail-users@enigmail.net To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net