2013/2/14 Junio C Hamano <gits...@pobox.com>:
>     - The "right" one you mention for %GS is easier than you might
>       think.  If you just verify against the accompanying "tagger"
>       identity, that should be sufficient.  It of course cannot be
>       generally solved, as you could tag as person A while signing
>       with key for person B, but a simple social convention would
>       help us out there: if you tag as Mariusz Gronczewski, your
>       signature should also say so.
unless there is someone else with same name, which happens more often
(so far i've seen it happen twice) than same GPG IDs. It's all fine if
you just have one keyring that you can use to validate against all
repos but when there are multiple projects each with different persons
responsible for deploying it can get messy ;].

my use-case is basically "allow only commits signed by person X Y or Z
to be deployed on production" and  "allow only persons A, B, C, X, Y,
Z to commit", while latter case can be solved by software like
gitolite, credential validation is messy at best as you have to
- ssh key
- if ssh key owner matches commiter name
- if commiter name =! author name, if a given person can do that
(project architect or some other person accepting patches) or can't
and I'm trying to implement GPG signing so if someone does something
malicious i can say "OK that commit was signed by your key ID, why you
did it?"

Mariusz Gronczewski (XANi) <xani...@gmail.com>
GnuPG: 0xEA8ACE64
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to