On Friday, June 14, 2013 at 15:02 EDT,
Eric Fleischman <efleischman@xxxxxxxxx> wrote:
> We're very interested in using signed commits but are struggling to
> figure out how to use it in the real world. Would love some advice
> from those who know more.
What do you expect to gain from using signed commits? I'm not saying
they don't have a place, but depending on why you find them attractive
there might be alternatives. For example, won't signed tags do?
> We think we know how to deal with signed commits & auto-reject such
> commits at build time, as well as clean up. But we're worried that
> folks won't sign on the way in accidentally. We don't know of a good
> way to force the team to always sign commits yet, especially as they
> get new machines and what hav eyou.
Hooks? A pre-commit hook that runs on the machine and/or a server-side
hook (pre-receive or update?) should be able to enforce this. Well, a
client hook is trivially bypassed so it would just be useful against
mistakes and forgetfullness.
> Is there a way to add something to the repo config to force, or at
> least default, this?
I don't believe you can configure Git to sign commits by default, but
if you control the machine of your machines (assuming a corporate)
environment you can set up a template directory for hook distribution.
Again, that's only for client hooks that are okay to be circumventable.
[...]
--
Magnus Bäck
baeck@xxxxxxxxxx
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html