On Tue 2019-09-17 18:55:53 +0200, john doe wrote: > Do you mind explaining why you are against signing commits?
I'd like to understand what your proposed use case and value proposition
is for signed commits.
I can justify my call for signed tags -- i want to have cryptographic
provenenance for any software release that i package for debian. Note
that i want to package a *release* though -- not just some arbitrary
(possibly buggy) stage on the way to a release.
do you believe that branch rebases ("changing history") are acceptable
steps for free software developers to take in pursuit of a cleaner git
history?
Who do you expect to verify the signatures on the signed commits? when
should they verify them? what specific tests should they perform on the
signatures (e.g. "monotonically increasing in time", "signature timestamp
matches commit message timestamp", "author is from specific set", "no
existing commits ever disappear", etc)
I'm not saying that signed commits are never warranted -- i'm just not
sure what the specific hope is, and what kinds of attacks you hope to
mitigate, and how that practice applies to jsunit itself, since that's
what's under discussion here.
--dkg
signature.asc
Description: PGP signature
_______________________________________________ enigmail-users mailing list enigmail-users@enigmail.net To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
