On Tue, Jun 04, 2024 at 02:50:49PM GMT, Dimitri Sabadie wrote: > On the other side, I just had another idea. What would be best to me > is to actually provide a _proof_ that at least the author acknowledges > the patch — whether he wrote it or not is another story and I don’t > think we can enforce that completely. The goal I want to achieve is that > if I send a patch via email, if the patch ends up committed by someone > else, I still want to be able to have a proof that “I wrote the patch.” On the kernel side of things, we're using patatt for this purpose: https://github.com/mricon/patatt > So assuming the committer is not of bad faith and doesn’t truncate my > git commit message… why not simply adding a “sign-off” like line at the > end of the commit, but instead of just putting a clear text that anyone > could tamper with, we would sign the date at which the commit was made? > > For instance, I could have a git message like: > > Fix typo. > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > Tue Jun 4 02:49:26 PM CEST 2024 > -----BEGIN PGP SIGNATURE----- > > iHUEARYKAB0WIQRsmRqgbXp8KFc3mc6pQ4aopiUuywUCZl8NVgAKCRCpQ4aopiUu > yyhWAQCScfP28Py0QbHuqzzOFyjAMwdK0LfwiGfYrfzfv0evlAD9Hd+x8NgvPq2p > nnnG5tQaHeIS/v8PMP0suy3QiWV8WQc= > =Ru+m > -----END PGP SIGNATURE----- > > If a create another commit later with "Fix typo." as content, then the > date will be different and the signature won’t be the same. > > What do you think? No, this is not a good solution, if only because the date of the commit can be freely edited to match whatever is in the signature, and then it can be reused for any commit at all. -K
