[edk2-devel] Question about EDK2 and commit signing
Marvin Häuser
mhaeuser at posteo.de
Sun Sep 12 09:53:34 UTC 2021
Hey,
Just my 2 cents...
Contributors: Git's stance is the author doesn't really matter as long
as the code is acceptable. For most people, you will not know them
anyway and it does not buy you much to know they own GitHub account XY.
If someone is impersonating a maintainer (who would push the changes
directly after review), that would be obvious anyway.
Maintainers: Why would someone have access to your SSH key but not your
GPG key? Especially if your commits are auto-signed, both keys are
likely equally readable. More factors do not meaningfully increase
security if they are not clearly separate.
I'm sure nobody minds your signatures though. :)
Best regards,
Marvin
On 11/09/2021 20:25, Pedro Falcato wrote:
> Hi everyone,
>
> Yesterday, when pushing my first commits to edk2-platforms (as the
> Ext4Pkg maintainer), I noticed that my commits (see 7872c98 and
> 71f3343) stick out like a sore thumb, as I have GPG signing on my
> commits on by default (see git config commit.gpgsign), globally across
> all my projects.
>
> Is there an official stance on signed commits? I was thinking that
> commit signing, at least for the maintainers that apply and push
> patches, could be useful as a way to establish authenticity for every
> commit that gets to the edk2 repos.
>
> Best regards,
>
> Pedro Falcato
>
>
>
>
>
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#80548): https://edk2.groups.io/g/devel/message/80548
Mute This Topic: https://groups.io/mt/85538324/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-
More information about the edk2-devel-archive
mailing list