Re: [PATCH v3] tag: add tag.gpgSign config option to force all tags be GPG-signed

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




----- Original Message -----
> From: "Junio C Hamano" <gitster@xxxxxxxxx>
> To: "Tigran Mkrtchyan" <tigran.mkrtchyan@xxxxxxx>
> Cc: "git" <git@xxxxxxxxxxxxxxx>, "Jonathan Nieder" <jrnieder@xxxxxxxxx>, "Johannes Schindelin"
> <Johannes.Schindelin@xxxxxx>
> Sent: Wednesday, June 5, 2019 6:25:46 PM
> Subject: Re: [PATCH v3] tag: add tag.gpgSign config option to force all tags be GPG-signed

> Tigran Mkrtchyan <tigran.mkrtchyan@xxxxxxx> writes:
> 
>> As many CI/CD tools don't allow to control command line options when
>> executing `git tag` command, a default value in the configuration file
>> will allow to enforce tag signing if required.

Must of them blindly execute git commands with some hard-coded combination of
options. It's clear to me, that they are the source of the problem, but
git can be the solution.

> 
> Hmm.  Would these "many" tools still allow arbigrary configuration
> set to affect their operation?  It sounds like a bigger issue but it
> is a separate one.
> 
>> The new config-file option tag.gpgSign enforces signed tags. Additional
>> ...
>> will skip the signing step.
> 
> This paragraph is well written.
> 
>> The combination of -u <key-id> and --no-sign not allowed.
> 
> This sentence lacks a verb.  Perhaps s/not allowed/is &/.
> 

Jup. Sorry.

> But more importantly, I think we should justify why this "not
> allowed" makes sense as the design of the feature. A plausible
> alternative design would simply follow the "last one wins" paradigm,
> where
> 
>    git tag -u key # "-u key" implies "-s"
> 
>    git tag -u key --no-sign # "--no-sign' trumps the implied "-s"
> 
>    git tag --no-sign -u key # "-u key"'s implication of "-s" trumps the
>			     # earlier "--no-sign"
> 
> and having "[tag] gpgsign" simply adds to the implication early in
> the chain to be overridden by later command line options.
> 
> Let's explain why "you cannot give -u <key> and --no-sign at the
> same time" is better than "the last one wins".

This is matter of convention. I never pay attention to the order of options
on the git command line, but I don't put conflicting options either, I hope.
Does git already have position depended options? If yes, then fine with me.
Otherwise, I don't want to introduce ambiguity. Yes, less ambiguity is my
answer to why it's better than "the last one wins".


> 
>> diff --git a/Documentation/git-tag.txt b/Documentation/git-tag.txt
>> index a74e7b926d..2e5599a67f 100644
>> --- a/Documentation/git-tag.txt
>> +++ b/Documentation/git-tag.txt
>> @@ -64,6 +64,13 @@ OPTIONS
>>  -s::
>>  --sign::
>>  	Make a GPG-signed tag, using the default e-mail address's key.
>> +	The default behavior of tag GPG-signing is controlled by `tag.gpgSign`
>> +	configuration variable if it exists, or disabled oder otherwise.
>> +	See linkgit:git-config[1].
>> +
>> +--no-sign::
>> +	Override `tag.gpgSign` configuration variable that is
>> +	set to force each and every tag to be signed.
>>  
>>  -u <keyid>::
>>  --local-user=<keyid>::
> 
> If we justify "-u and --no-sign do not mix", that design needs to be
> explained to the end users in the documentation, not just in the
> proposed log messsage.

Make sense.

Thanks,
   Tigran.



[Index of Archives]     [Linux Kernel Development]     [Gcc Help]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [V4L]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]     [Fedora Users]

  Powered by Linux