Replies: 3 comments 7 replies
-
That's what I suggested, so of course I'm okay with it. 👍 Regarding signed commits, I'm aligned with the position of Linus Torvalds: https://web.archive.org/web/20201111174438/http://git.661346.n2.nabble.com/GPG-signing-for-git-commit-td2582986.html#a2583316 TL;DR: Basically, what's important is that releases are signed, and when they are created on github, they are. BTW, currently Will's GPG key is expired:
Did anyone come forward and protest that the GPG key was expired? Nope. As a side note, I consider GPG broken, my app uses minisign. In Python world, Pypi has removed GPG signature of packages, see: https://blog.pypi.org/posts/2023-05-23-removing-pgp/. So what you should do is sign tags, that's the important thing. |
Beta Was this translation helpful? Give feedback.
-
|
And if we want it to be actually useful, we should mention a way to verify the signature. For instance, I went to Will's website to try and find its public key from an authoritative source, but didn't find it. |
Beta Was this translation helpful? Give feedback.
-
|
This is very interesting. FWIW all of my commits have been signed since 2018 or so. Comparing ec35073 (my direct commit to a branch) with ab93dd4 (the merge commit), it looks more like the GPG key used by GitHub to sign the merge commit expired and was rotated so its presumably something similar for the release you spotted. Also for posterity, I have recently switched to signing commits with SSH keys 086a375 thanks to using latest version of git. I would love to clear out the GPG key from my profile however I understand that would mark all my commits as unverified which is annoying. I don't know the best way of publishing SSH and GPG public keys on my website so if you have an example, that would be neat. |
Beta Was this translation helpful? Give feedback.
-
There is the https://www.deltablot.com/.well-known/security.txt FYI, we can see your SSH keys here: https://github.com/willpower232.keys but it's on GitHub too, so it doesn't help the verification process in that case. |
Beta Was this translation helpful? Give feedback.
-
|
Aha lovely |
Beta Was this translation helpful? Give feedback.
-
Beta Was this translation helpful? Give feedback.
-
|
I don't hate this idea, it definitely forces more care from contributors as fixing mistakes require due process rather than force pushing the primary branch. |
Beta Was this translation helpful? Give feedback.
-
|
Also, it would be great if you could set the merge behavior to squash by default, so we can have a clean history. |
Beta Was this translation helpful? Give feedback.
-
|
I don't mind, but does this sparkle with the rest of the team as well? |
Beta Was this translation helpful? Give feedback.
-
|
squash merging is usually better, I tend to craft my commits so a squash isn't normally required but I don't know anyone else who goes to such lengths 😅 |
Beta Was this translation helpful? Give feedback.
-
I would like to protect the master branch and only allow merges, require pull requests and need at require at least one code reviewer to approve before being able to merge. Also I'd like to require signed commits, but I see that @NicolasCARPi doesn't have this on all commits.
Before I make drastic changes I'd like to consult with @NicolasCARPi and @willpower232 on their opinions?
Beta Was this translation helpful? Give feedback.
All reactions