please use signed git commits (and tags)
== What
Git supports signing of commits since version 1.7.9. Everybody should sign git
commits always.
== Why
- The haskell team has a git repository with tools that maintainers should
clone and use. I cloned the repo. How should I trust all this scripts?
- Somebody wants to contribute to the packaging of something. She clones the
repo and wants to run dpkg-buildpackage on it. There's no trust in
debian/rules at this point.
- not debian related: http://mikegerwitz.com/papers/git-horror-story
== How
- Tell git what key to use:
git config --global user.signingkey $YOURKEYID
- sign one commit: git commit --gpg-sign
- always sign all commits:
git config --global commit.gpgsign true
- Verifiy commits
git log --show-signature
- http://git-scm.com/book/es/v2/Git-Tools-Signing-Your-Work
Thank you,
Thomas Koch
Reply to: