On 05/08/2016 07:07 PM, Kent Fredric wrote:
> On 9 May 2016 at 05:03, Alexis Ballier <aball...@gentoo.org> wrote:
>> I was under the impression that merging is needed in order to preserve
>> commit signatures when e.g. merging someone else's work.
> Correct, but if the person applying the commits to tree is in fact
> reviewing them as they go, then the fact they re-sign it with their
> own signature
> ( and changing the commits "Committed by" in the process ) pretty much
> means the chain of custody is preserved.

And it is a requirement in particular in the case where the author is
not a gentoo dev as the certificate used for the signature otherwise
isn't recognized. The committing developer will need to have a local
framework in place for certificate validation to ensure that the author
is authentic, after that the committing author is responsible for all
behavior of the commit.

Kristian Fiskerstrand
OpenPGP certificate reachable at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to