On Wed, 4 May 2016, Kus wrote:
I'd like to propose that all commits (at least to master) going forward be
signed with the commiter's gpg key.
https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work
Thoughts?
Other than the possible idea that you can know if a commit was created by the
same person who created another commit with the same signature, how are you
going to validate the signatures?
who would issue the certs?
how do you handle signatures on a patch that requires changes before it's
merged?
how do you handle signatures on a patch that arrives via e-mail?
in other words, would this really be able to cover all commits without having
people sign for other people's work? If it can't, what do the signatures
actually tell you?
David Lang
_______________________________________________
Lede-dev mailing list
Lede-dev@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/lede-dev
