From: Bagas Sanjaya <bagasdotme@gmail.com>
To: Junio C Hamano <gitster@pobox.com>
Cc: Git Mailing List <git@vger.kernel.org>,
Git l10n discussion group <git-l10n@googlegroups.com>,
Jiang Xin <worldhello.net@gmail.com>
Subject: Re: OK to submit l10n PR with signed commits?
Date: Thu, 19 Dec 2024 18:56:24 +0700 [thread overview]
Message-ID: <Z2QJ6CEbHyOObeEl@archie.me> (raw)
In-Reply-To: <xmqqh670nrb9.fsf@gitster.g>
[-- Attachment #1: Type: text/plain, Size: 1758 bytes --]
On Wed, Dec 18, 2024 at 10:02:34PM -0800, Junio C Hamano wrote:
> Bagas Sanjaya <bagasdotme@gmail.com> writes:
>
> > On Wed, Dec 18, 2024 at 06:49:39AM -0800, Junio C Hamano wrote:
> >> Bagas Sanjaya <bagasdotme@gmail.com> writes:
> >>
> >> > So I'm interested in GPG-sign my commits (that is, ``git commit -S``) for l10n
> >> > pull request (which I should submit in this cycle). Is it OK to do that?
> >> > Drawbacks?
> >>
> >> Instead of talking first about drawbacks, we should consider the
> >> upsides. Why would we even want to see your GPG signature, when
> >> most of us do not even have your GPG public key in our keychains?
> >>
> >> What are we trying to achieve by doing this?
> >
> > Just to ensure that PR commits are really from the respective authors.
>
> Yeah, but my point was that it would not ensure, because practically
> nobody has ways to validate the signature was created with your
> private key, and public keyservers have been tainted long time ago
> with fake keys with the same fingerprint, so would not work as a
> good way to obtain your public key and be sure it is yours.
>
> If this were "because we would want to eat our own dogfood", and if
> we find bugs in our code when different person sign their commit
> with their own signature scheme (i.e. you may sign yours with your
> GPG key, somebody else may use their SSH key, and yet other people
> use their X.509 certs, it might give us valuable insights, but the
> resulting history may be irrevocably tainted if the bug is on the
> signing side (if the bug is on the verification side, that is OK).
>
> Thanks.
OK, thanks! I will stick to unsigned commits then.
--
An old man doll... just what I always wanted! - Clara
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]
next prev parent reply other threads:[~2024-12-19 11:56 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-12-18 10:08 OK to submit l10n PR with signed commits? Bagas Sanjaya
2024-12-18 14:49 ` Junio C Hamano
2024-12-19 2:10 ` Bagas Sanjaya
2024-12-19 6:02 ` Junio C Hamano
2024-12-19 11:56 ` Bagas Sanjaya [this message]
2024-12-19 14:46 ` Junio C Hamano
-- strict thread matches above, loose matches on Subject: below --
2024-12-19 17:06 Caleb White
2024-12-19 17:27 ` Kristoffer Haugsbakk
2024-12-20 1:08 ` Caleb White
2024-12-20 7:39 ` Kristoffer Haugsbakk
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Z2QJ6CEbHyOObeEl@archie.me \
--to=bagasdotme@gmail.com \
--cc=git-l10n@googlegroups.com \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=worldhello.net@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).