Excerpts from Olsen, Alan R's message of Wed Sep 28 00:17:54 -0400 2011: Hi Alan, > What I would like to see in git would be signed commits. I have > looked at what it would take to make it work, but I don't have all > the details worked out. (Certain merges and cherry-picks would not > work very well.) I'm presuming that your intent is an optional signature, not a forced one, but for discussion, consider the monotone[1] dvcs that forces a signature on every commit. While interesting, it was quite heavy weight. Their design was complicated by the fact that they used their own pki solution instead of relying on gpg (although they did integrate with gpg-agent). Granting access to a new user meant sharing monotone-specific keys, etc. It's been my experience that ssh keys are challenging enough for many people, and asking them to use gpg keys is just not going to fly unless mandated from the higher-ups. We used monotone here for about a year and the key requirements were the biggest turn off to adoption. Maybe using standard (gpg) tools would have been less so, but for the most part, I don't think so. In my (very humble) opinion, signed tags (or possibly the new signed push certificates) are a much better solution to this. They offer the same guarantees as having every commit signed (trust of all commits can be determined based on a signle signature) but leave daily interactions much more light weight and flexible. Thanks -Ben [1] http://monotone.ca -- Ben Walton Systems Programmer - CHASS University of Toronto C:416.407.5610 | W:416.978.4302 -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html