On 10/19/2016 01:00 AM, Robin H. Johnson wrote: > One of the downsides both the git-am and cherry-pick workflows are that > they invalidate or otherwise omit commit signatures. > > git-merge on the other hand does preserve the signature as the original > commit is intact, and the merge commit is where the signature of the > gentoo developer is introduced. > > I agree clean history is valuable, but verifiable attribution may in > fact be more important. > Yes, I don't like this aspect of any workflow that breaks history but I personally feel that for the sake of both 'cleanliness' and ease of use that the git am (or cherry-pick) workflow is best. I could possibly see the possibility of tampering with the patch could be a problem (attribution as you say) but in the end a developer still committed it. Authored-by and Committed-by being different fields I feel the main one infra needs to worry about is Committed-by.
-- Matthew Thode (prometheanfire)
Description: OpenPGP digital signature