----- Original Message ----- > From: "Junio C Hamano" <gitster@xxxxxxxxx> > To: "Tigran Mkrtchyan" <tigran.mkrtchyan@xxxxxxx> > Cc: "git" <git@xxxxxxxxxxxxxxx>, "Jonathan Nieder" <jrnieder@xxxxxxxxx>, "Johannes Schindelin" > <Johannes.Schindelin@xxxxxx> > Sent: Wednesday, June 5, 2019 6:25:46 PM > Subject: Re: [PATCH v3] tag: add tag.gpgSign config option to force all tags be GPG-signed > Tigran Mkrtchyan <tigran.mkrtchyan@xxxxxxx> writes: > >> As many CI/CD tools don't allow to control command line options when >> executing `git tag` command, a default value in the configuration file >> will allow to enforce tag signing if required. Must of them blindly execute git commands with some hard-coded combination of options. It's clear to me, that they are the source of the problem, but git can be the solution. > > Hmm. Would these "many" tools still allow arbigrary configuration > set to affect their operation? It sounds like a bigger issue but it > is a separate one. > >> The new config-file option tag.gpgSign enforces signed tags. Additional >> ... >> will skip the signing step. > > This paragraph is well written. > >> The combination of -u <key-id> and --no-sign not allowed. > > This sentence lacks a verb. Perhaps s/not allowed/is &/. > Jup. Sorry. > But more importantly, I think we should justify why this "not > allowed" makes sense as the design of the feature. A plausible > alternative design would simply follow the "last one wins" paradigm, > where > > git tag -u key # "-u key" implies "-s" > > git tag -u key --no-sign # "--no-sign' trumps the implied "-s" > > git tag --no-sign -u key # "-u key"'s implication of "-s" trumps the > # earlier "--no-sign" > > and having "[tag] gpgsign" simply adds to the implication early in > the chain to be overridden by later command line options. > > Let's explain why "you cannot give -u <key> and --no-sign at the > same time" is better than "the last one wins". This is matter of convention. I never pay attention to the order of options on the git command line, but I don't put conflicting options either, I hope. Does git already have position depended options? If yes, then fine with me. Otherwise, I don't want to introduce ambiguity. Yes, less ambiguity is my answer to why it's better than "the last one wins". > >> diff --git a/Documentation/git-tag.txt b/Documentation/git-tag.txt >> index a74e7b926d..2e5599a67f 100644 >> --- a/Documentation/git-tag.txt >> +++ b/Documentation/git-tag.txt >> @@ -64,6 +64,13 @@ OPTIONS >> -s:: >> --sign:: >> Make a GPG-signed tag, using the default e-mail address's key. >> + The default behavior of tag GPG-signing is controlled by `tag.gpgSign` >> + configuration variable if it exists, or disabled oder otherwise. >> + See linkgit:git-config[1]. >> + >> +--no-sign:: >> + Override `tag.gpgSign` configuration variable that is >> + set to force each and every tag to be signed. >> >> -u <keyid>:: >> --local-user=<keyid>:: > > If we justify "-u and --no-sign do not mix", that design needs to be > explained to the end users in the documentation, not just in the > proposed log messsage. Make sense. Thanks, Tigran.
