From: Junio C Hamano <gitster@pobox.com>
To: Bagas Sanjaya <bagasdotme@gmail.com>
Cc: Git Mailing List <git@vger.kernel.org>,
Git l10n discussion group <git-l10n@googlegroups.com>,
Jiang Xin <worldhello.net@gmail.com>
Subject: Re: OK to submit l10n PR with signed commits?
Date: Wed, 18 Dec 2024 22:02:34 -0800 [thread overview]
Message-ID: <xmqqh670nrb9.fsf@gitster.g> (raw)
In-Reply-To: <Z2OAebI4pQ2K57vA@archie.me> (Bagas Sanjaya's message of "Thu, 19 Dec 2024 09:10:01 +0700")
Bagas Sanjaya <bagasdotme@gmail.com> writes:
> On Wed, Dec 18, 2024 at 06:49:39AM -0800, Junio C Hamano wrote:
>> Bagas Sanjaya <bagasdotme@gmail.com> writes:
>>
>> > So I'm interested in GPG-sign my commits (that is, ``git commit -S``) for l10n
>> > pull request (which I should submit in this cycle). Is it OK to do that?
>> > Drawbacks?
>>
>> Instead of talking first about drawbacks, we should consider the
>> upsides. Why would we even want to see your GPG signature, when
>> most of us do not even have your GPG public key in our keychains?
>>
>> What are we trying to achieve by doing this?
>
> Just to ensure that PR commits are really from the respective authors.
Yeah, but my point was that it would not ensure, because practically
nobody has ways to validate the signature was created with your
private key, and public keyservers have been tainted long time ago
with fake keys with the same fingerprint, so would not work as a
good way to obtain your public key and be sure it is yours.
If this were "because we would want to eat our own dogfood", and if
we find bugs in our code when different person sign their commit
with their own signature scheme (i.e. you may sign yours with your
GPG key, somebody else may use their SSH key, and yet other people
use their X.509 certs, it might give us valuable insights, but the
resulting history may be irrevocably tainted if the bug is on the
signing side (if the bug is on the verification side, that is OK).
Thanks.
next prev parent reply other threads:[~2024-12-19 6:02 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-12-18 10:08 OK to submit l10n PR with signed commits? Bagas Sanjaya
2024-12-18 14:49 ` Junio C Hamano
2024-12-19 2:10 ` Bagas Sanjaya
2024-12-19 6:02 ` Junio C Hamano [this message]
2024-12-19 11:56 ` Bagas Sanjaya
2024-12-19 14:46 ` Junio C Hamano
-- strict thread matches above, loose matches on Subject: below --
2024-12-19 17:06 Caleb White
2024-12-19 17:27 ` Kristoffer Haugsbakk
2024-12-20 1:08 ` Caleb White
2024-12-20 7:39 ` Kristoffer Haugsbakk
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=xmqqh670nrb9.fsf@gitster.g \
--to=gitster@pobox.com \
--cc=bagasdotme@gmail.com \
--cc=git-l10n@googlegroups.com \
--cc=git@vger.kernel.org \
--cc=worldhello.net@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).