From: <rsbecker@nexbridge.com>
To: "'Konstantin Ryabitsev'" <konstantin@linuxfoundation.org>,
"'Jeff King'" <peff@peff.net>
Cc: "'Junio C Hamano'" <gitster@pobox.com>,
"'Matěj Cepl'" <mcepl@cepl.eu>,
git@vger.kernel.org
Subject: RE: git-send-email with GPG signed commits?
Date: Thu, 20 Oct 2022 15:40:03 -0400 [thread overview]
Message-ID: <004901d8e4bb$c3338360$499a8a20$@nexbridge.com> (raw)
In-Reply-To: <20221020190117.va67kbrmvg4xxit5@meerkat.local>
On October 20, 2022 3:01 PM, Konstantin Ryabitsev wrote:
>On Thu, Oct 20, 2022 at 02:31:41PM -0400, Jeff King wrote:
>> Yes, like bundles, it is losing some of the flexibility of an
>> emailed-patch workflow. I haven't played with b4's attestation too
>> much, but I think it slots into a patch workflow better. You are
>> signing the patch, not the commit, and commits which are made later
>> can refer back to the emails, which people can then verify. That's not
>> a signature on the commit, but it is a paper trail that can be followed.
>
>That is accurate -- I've looked into attempting to preserve git commit signatures via
>sent patches, precisely so they could be applied back into the tree. However, the
>consensus among developers was that this is almost never useful, and since we
>were already providing a robust paper-trail framework in the form of public-inbox
>archives, it made sense to keep patch-level attestation and git-level attestation
>separate.
As I see it, if git commit signatures become a requirement (maybe resulting from supply chain discussions), then using existing capabilities may be the most practical alternative. This would involve submitting signed commits in pull request via GitHub instead of emailing patches. I know this is not a desirable position for the git team, but it is currently available technology. In a pinch, that could satisfy the requirement.
-Randall
next prev parent reply other threads:[~2022-10-20 19:40 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-20 4:26 git-send-email with GPG signed commits? Matěj Cepl
2022-10-20 12:46 ` Konstantin Ryabitsev
2022-10-20 17:29 ` Matěj Cepl
2022-10-20 18:55 ` Konstantin Ryabitsev
2022-10-20 17:44 ` Jeff King
2022-10-20 17:48 ` Junio C Hamano
2022-10-20 18:03 ` Junio C Hamano
2022-10-20 18:31 ` Jeff King
2022-10-20 19:01 ` Konstantin Ryabitsev
2022-10-20 19:40 ` rsbecker [this message]
2022-10-20 21:03 ` Matěj Cepl
2022-10-20 21:22 ` brian m. carlson
2022-10-21 0:12 ` Matěj Cepl
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='004901d8e4bb$c3338360$499a8a20$@nexbridge.com' \
--to=rsbecker@nexbridge.com \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=konstantin@linuxfoundation.org \
--cc=mcepl@cepl.eu \
--cc=peff@peff.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox