On 11 May 2016 at 00:04, Alexis Ballier <[email protected]> wrote: > well, then I can commit crap with --author [email protected] and claim he > made me rebase it :)
Well, if you're going down that line ... You don't rebase it, you just merge it, than then mrp claims obama forced his hand to write the commit at gunpoint and sign it, and that's why he is both --author and --committer That's obviously silly talk :D You put your name on it with your GPG key, then the responsibility beyond that point is a social one, not a technical one. The person who signed via GPG still holds the "Technical responsibility" :) >I understand gpg signing of commits as a way to guarantee author is > correctly set and claims the commit. No. GPG commit signing only guarantees "committer". That's why git rebase re-writes committer as well as re-signing it. The committer metadata itself is no real guarantee either, because you can twiddle COMMIT env vars and change that on a whim, so I could forge a commit authored by mrp and committed by aballier ... and unless you checked the GPG sig, you'd never know that I made it. But by design, the signature only indicates who the person was who *committed* a commit, it can never indicate the true author. For instance, a commit *could* in theory be authored by somebody who has no access to a computer, and I could copy-paste that data and upload it. The true author would never be known /unless/ I forged author data, but I sure was the person who committed it. And "Commit responsibility" is what we're trying to regulate here. "Author metadata" is just for attribution/credits sake, and a *weak* responsibility. -- Kent KENTNL - https://metacpan.org/author/KENTNL
