On Oct 24, 2017, at 18:56, Mark Sapiro <m...@msapiro.net> wrote: > > I remember looking into signing commits when we first switched from bzr > to git because I was used to signing all commits. At that time, it > seemed controversial. See, e.g., > <http://git.661346.n2.nabble.com/GPG-signing-for-git-commit-tp2582986p2583316.html> > where linus argues that "Signing each commit is totally stupid." and > that you should sign tags but not commits. > > I don't know enough about the internals of this to have an opinion, and > as I said I will be signing my commits going forward, and the post I > link to is over 8 years old and things might have changed, but there it > is for what it's worth.
I’m not sure that any of the points Linus brings up in that thread have changed, but I’m also not sure how relevant they are to our workflow. It’s interesting enough that Gitlab is now showing the verified tag for signed commits, although TBH, I’m also not sure how much that buys us in practice. Still, it’s easy enough to experiment with, so let’s do it and see if it has any practical impact on us, either pro or con. -Barry
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ Mailman-Developers mailing list Mailman-Developers@python.org https://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
