[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: please use signed git commits (and tags)

On Mon, May 25, 2015 at 10:33:06AM +0200, Bastian Blank wrote:
> On Mon, May 25, 2015 at 09:51:41AM +0200, Thomas Koch wrote:
> > On Sunday 24 May 2015 13:02:38 Thomas Koch wrote:
> > > Git supports signing of commits since version 1.7.9. Everybody should sign
> > > git commits always.
> > There is however the argument that by signing every commit by default one may 
> > accidentally publish a signature on some unverified code and somebody else may 
> > trust this code because of this.

What's wrong with that? The signature means that you wrote it. It
doesn't mean that it is perfect. 

> Much worse, do you trust all your development machines with your private
> key?  I clearly don't, as I neither have sole control over them, nor are
> all of them located in jurisdictions I can expect any help against
> seizure.

With Debian packages I upload I can use debsign to sign a build after it
was built. Can I sign git commits / annotated tags in retrospect?

-- 
Tzafrir Cohen         | tzafrir@jabber.org | VIM is
http://tzafrir.org.il |                    | a Mutt's
tzafrir@cohens.org.il |                    |  best
tzafrir@debian.org    |                    | friend
Reply to: