Re: please use signed git commits (and tags)
On Mon, May 25, 2015 at 02:54:53PM +0200, Tzafrir Cohen wrote:
> On Mon, May 25, 2015 at 10:33:06AM +0200, Bastian Blank wrote:
> > On Mon, May 25, 2015 at 09:51:41AM +0200, Thomas Koch wrote:
> > > On Sunday 24 May 2015 13:02:38 Thomas Koch wrote:
> > > > Git supports signing of commits since version 1.7.9. Everybody should sign
> > > > git commits always.
> > > There is however the argument that by signing every commit by default one may
> > > accidentally publish a signature on some unverified code and somebody else may
> > > trust this code because of this.
>
> What's wrong with that? The signature means that you wrote it. It
> doesn't mean that it is perfect.
>
> > Much worse, do you trust all your development machines with your private
> > key? I clearly don't, as I neither have sole control over them, nor are
> > all of them located in jurisdictions I can expect any help against
> > seizure.
>
> With Debian packages I upload I can use debsign to sign a build after it
> was built. Can I sign git commits / annotated tags in retrospect?
Since signing changes the sha1 of the commit, only if rewriting history isn't a
problem.
--
It is easy to love a country that is famous for chocolate and beer
-- Barack Obama, speaking in Brussels, Belgium, 2014-03-26
Reply to: