Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx> writes: > On Thu, Nov 3, 2011 at 11:52 AM, Junio C Hamano <gitster@xxxxxxxxx> wrote: >> >> Ahh, sorry for the noise. I realize that we already have a winner, namely, >> the proposal outlined in your message I was responding to. > > No, no, don't consider my "put in the merge message" a winner at all. > > I personally dislike it, and don't really think it's a wonderful thing > at all. I really does have real downsides: > > - internal signatures really *are* a disaster for maintenance. You > can never fix them if they need fixing (and "need fixing" may well be > "you want to re-sign things after a repository format change") > > - they are ugly as heck, and you really don't want to see them in > 99.999% of all cases. > > So putting those things iin the merge commit message may have some > upsides, but it has tons of downsides too. > > I think your refs/audit/ idea should be given real thought, because > maybe that's the right idea. While I agree that re-signing is a problem, I do not see it as a huge issue. In your "SHA-1 to SHA-256 transtion" scenario, the conversion is a flag day event in the hopefully fairly distant (in the git timescale) future, and I am reasonably sure that by that time we would already have infrastructure updates necessary to support huge number of refs, including the "lazily scan only the refs necessary" and the "some refs are optional in advertisement" topics that are useful for other purposes. In the worst case, even if we used your "merge commit records the merged tag as the record of requested pull" design today, we could choose not to rewrite these in-merge-commit signatures when the conversion becomes necessary. Instead, the conversion procedure can prepare a mapping table between the old SHA-1 and the rewritten SHA-256, and contributors can prepare detached signature for the mappings of their own commits after verifying that the conversion produced what they are happy with. And then we store concatenation of these detached signatures in a blob to help future third party auditors to audit these (by-then) historical commits. About the ugliness of the merge commit log messages, you have already learned to ignore them with "log --no-merges" ;-) and the material the patch series I sent out adds are at the end, so "/^commit.*$" in less would hopefully work well enough in "log --no-merges" as well. Because the refs/audit/ approach requires too much infrastructure we still do not have today, and workflow elements are not fully worked out (e.g. propagating audit trails fully from sub-sub-sub-...-lieutenants upwards is tricky as I outlined in the other message), I think we should start from a design that we can see how it would work now. With the posted series, the workflow would become something like this: contributor$ work work work contributor$ git tag -s -m 'Signed pull This series is to allow the integrator to pull from contributors by specifying a signed tag, not the tip of the branch, and verify the authenticity of the series while merging' for-linus contributor$ git push public for-linus contributor$ git request-pull origin \ $(git config remote.public.url) for-linus >msg contributor$ edit msg contributor$ mail torvalds@... integrator$ mail ;# read the pull request integrator$ git pull git://github.com/contributor/linux.git for-linus ... editor opens with the usual merge message, but with ... the contents of the tag and the "GPG verify" result at ... the end. It might make sense to also teach the "git tag" part somehow use branch description of the tip of branch being tagged to prime the tag message. -- To unsubscribe from this list: send the line "unsubscribe linux-ide" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html