On Wed, Dec 18, 2024 at 10:02:34PM -0800, Junio C Hamano wrote: > Bagas Sanjaya <bagasdotme@xxxxxxxxx> writes: > > > On Wed, Dec 18, 2024 at 06:49:39AM -0800, Junio C Hamano wrote: > >> Bagas Sanjaya <bagasdotme@xxxxxxxxx> writes: > >> > >> > So I'm interested in GPG-sign my commits (that is, ``git commit -S``) for l10n > >> > pull request (which I should submit in this cycle). Is it OK to do that? > >> > Drawbacks? > >> > >> Instead of talking first about drawbacks, we should consider the > >> upsides. Why would we even want to see your GPG signature, when > >> most of us do not even have your GPG public key in our keychains? > >> > >> What are we trying to achieve by doing this? > > > > Just to ensure that PR commits are really from the respective authors. > > Yeah, but my point was that it would not ensure, because practically > nobody has ways to validate the signature was created with your > private key, and public keyservers have been tainted long time ago > with fake keys with the same fingerprint, so would not work as a > good way to obtain your public key and be sure it is yours. > > If this were "because we would want to eat our own dogfood", and if > we find bugs in our code when different person sign their commit > with their own signature scheme (i.e. you may sign yours with your > GPG key, somebody else may use their SSH key, and yet other people > use their X.509 certs, it might give us valuable insights, but the > resulting history may be irrevocably tainted if the bug is on the > signing side (if the bug is on the verification side, that is OK). > > Thanks. OK, thanks! I will stick to unsigned commits then. -- An old man doll... just what I always wanted! - Clara
Attachment:
signature.asc
Description: PGP signature
