Re: [PATCH v3] tag: add tag.gpgSign config option to force all tags be GPG-signed

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Tigran Mkrtchyan <tigran.mkrtchyan@xxxxxxx> writes:

> As many CI/CD tools don't allow to control command line options when
> executing `git tag` command, a default value in the configuration file
> will allow to enforce tag signing if required.

Hmm.  Would these "many" tools still allow arbigrary configuration
set to affect their operation?  It sounds like a bigger issue but it
is a separate one.

> The new config-file option tag.gpgSign enforces signed tags. Additional
> ...
> will skip the signing step.

This paragraph is well written.

> The combination of -u <key-id> and --no-sign not allowed.

This sentence lacks a verb.  Perhaps s/not allowed/is &/.  

But more importantly, I think we should justify why this "not
allowed" makes sense as the design of the feature. A plausible
alternative design would simply follow the "last one wins" paradigm,
where

    git tag -u key # "-u key" implies "-s"

    git tag -u key --no-sign # "--no-sign' trumps the implied "-s"

    git tag --no-sign -u key # "-u key"'s implication of "-s" trumps the
			     # earlier "--no-sign"

and having "[tag] gpgsign" simply adds to the implication early in
the chain to be overridden by later command line options.

Let's explain why "you cannot give -u <key> and --no-sign at the
same time" is better than "the last one wins".

> diff --git a/Documentation/git-tag.txt b/Documentation/git-tag.txt
> index a74e7b926d..2e5599a67f 100644
> --- a/Documentation/git-tag.txt
> +++ b/Documentation/git-tag.txt
> @@ -64,6 +64,13 @@ OPTIONS
>  -s::
>  --sign::
>  	Make a GPG-signed tag, using the default e-mail address's key.
> +	The default behavior of tag GPG-signing is controlled by `tag.gpgSign`
> +	configuration variable if it exists, or disabled oder otherwise.
> +	See linkgit:git-config[1].
> +
> +--no-sign::
> +	Override `tag.gpgSign` configuration variable that is
> +	set to force each and every tag to be signed.
>  
>  -u <keyid>::
>  --local-user=<keyid>::

If we justify "-u and --no-sign do not mix", that design needs to be
explained to the end users in the documentation, not just in the
proposed log messsage.
[Index of Archives]     [Linux Kernel Development]     [Gcc Help]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [V4L]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]     [Fedora Users]

  Powered by Linux