I guess more important would be to sign the releases. At least archlinux likes to have signatures for source archives and often requests upstream projects to add this.
For me as a user it would be more interesting to have a verified release signed by one key that's static rather than a commit history that is signed by many different keys that I don't know. I guess the single commit signature is more relevant to other developers, so we know who actually committed something. However, if all commits to the master branches come from merge requests, you already use gitlabs verification. It's not as good as gpg signatures, but in the end you have to trust gitlab to a certain degree anyway... Another thing that just came to mind: how does commit squashing work? You'll probably have to do that offline and not use gitlabs autosmashing... I don't have anything against it and I can also rather easily start doing that. (I will have to have my keychain nearby, as I don't have my keys stored on my machines...) -- Sent from my Android device with K-9 Mail. Please excuse my brevity. _______________________________________________ Mailman-Developers mailing list Mailman-Developers@python.org https://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
