public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed
From: Chris Beams <chris@beams.io>
To: Wladimir <laanwj@gmail.com>
Cc: Bitcoin Dev <bitcoin-development@lists.sourceforge.net>
Subject: Re: [Bitcoin-development] PSA: Please sign your git commits
Date: Wed, 21 May 2014 18:39:44 +0200	[thread overview]
Message-ID: <7B48B9D4-5FB0-42CA-A462-C20D3F345A9A@beams.io> (raw)
In-Reply-To: <CA+s+GJBNWh0Py9KB4Y+B19ACeHOygtkLrPw5SbZ0SrVs50pqvg@mail.gmail.com>


[-- Attachment #1.1: Type: text/plain, Size: 4753 bytes --]

Hi Wladimir,

I'm personally happy to comply with this for any future commits, but wonder if you've considered the arguments against commit signing [1]? Note especially the reference therein to Linus' original negative opinion on signed commits [2].

I came across these when searching for a way to enable signing by default, e.g. a `git config` option that might allow for this. Unfortunately, there isn't one, meaning it's likely that most folks will forget to do this most of the time.

If you're really serious about it, you should probably reject pull requests without signed commits; otherwise, signing becomes meaningless because only honest authors do it, and forgetful or malicious ones can avoid it without penalty.

That said, I'm not sure that creating such a barrier to contribution is worth it.

- Chris

[1]: http://stackoverflow.com/a/10166916/622403
[2]: http://git.661346.n2.nabble.com/GPG-signing-for-git-commit-td2582986.html

On May 21, 2014, at 2:23 PM, Wladimir <laanwj@gmail.com> wrote:

> Hello all,
> 
> When you're contributing to Bitcoin Core development please sign your
> git commits. This is easy to do and will help in assuring the
> integrity of the tree.
> 
> How to sign your commits?
> ------------------------------------------
> 
> Provide the `-S` flag (or `--gpg-sign`) to git commit when you commit
> your changes, for example
> 
>    git commit -m "Commit message" -S
> 
> Optionally you can provide a key id after the -S option to sign with a
> specific key.
> 
> What if I forgot?
> -------------------------
> 
> You can retroactively sign your previous commit using --amend, for example
> 
>    git commit -S --amend
> 
> If you need to go further back, you can use the interactive rebase
> command with 'edit'. Replace HEAD~3 with the base commit from which
> you want to start.
> 
>    git rebase -i HEAD~3
> 
> Replace 'pick' by 'edit' for the commit that you want to sign and the
> rebasing will stop after that commit. Then you can amend the commit as
> above. Afterwards, do
> 
>    git rebase --continue
> 
> As this will rewrite history, you cannot do this when your commit is
> already merged. In that case, too bad, better luck next time.
> 
> If you rewrite history for another reason - for example when squashing
> commits - make sure that you re-sign as the signatures will be lost.
> 
> How to check if commits are signed?
> -------------------------------------------------------
> 
> Use git log with show-signature,
> 
>    git log --show-signature
> 
>    commit 6fcdad787f1fb381a3a0fe6b1a1e45477426dccb
>    gpg: Signature made Wed 21 May 2014 12:27:55 PM CEST using RSA key
> ID 2346C9A6
>    gpg: Good signature from "Wladimir J. van der Laan <laanwj@gmail.com>"
>    Author: Wladimir J. van der Laan <laanwj@gmail.com>
>    Date:   Wed May 21 12:27:37 2014 +0200
> 
>        qt: Periodic language update
>    ...
> 
> You can also pass the --show-signature option to `git show` to check a
> single commit.
> 
> If you do this on the current repository you'll see that I'm almost
> the only person signing commits. I would like more people to get into
> this habit.
> 
> How to sign merges?
> --------------------------------
> 
> When using the github interface to merge a pull request, the resulting
> merge commit is not signed.
> 
> Pieter Wullie wrote a script that simplifies merging and signing. It
> can be found in contrib/devtools. Setup instructions can be found in
> the README.md in that directory. After setting it up for the
> repository you can use the script in the following way:
> 
>    contrib/devtools/github-merge.sh 1234
> 
> Replace 1234 by the pull request number that you want to merge. It
> will merge the pull request and drop you into a shell so you can
> verify changes and test. Once satisfied, exit the shell and answer the
> questions to merge and sign it and push upstream automatically (or
> not).
> 
> Please use this script when possible for merging instead of the github
> interface.
> 
> --------------------------
> 
> Wladimir
> 
> ------------------------------------------------------------------------------
> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
> Instantly run your Selenium tests across 300+ browser/OS combos.
> Get unparalleled scalability from the best Selenium testing platform available
> Simple to use. Nothing to install. Get started now for free."
> http://p.sf.net/sfu/SauceLabs
> _______________________________________________
> Bitcoin-development mailing list
> Bitcoin-development@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/bitcoin-development


[-- Attachment #1.2: Type: text/html, Size: 5756 bytes --]

[-- Attachment #2: Message signed with OpenPGP using GPGMail --]
[-- Type: application/pgp-signature, Size: 842 bytes --]

  reply	other threads:[~2014-05-21 17:28 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-05-21 12:23 [Bitcoin-development] PSA: Please sign your git commits Wladimir
2014-05-21 16:39 ` Chris Beams [this message]
2014-05-21 17:10   ` Wladimir
2014-05-21 20:30     ` Mark Friedenbach
2014-05-21 21:02       ` Gregory Maxwell
2014-05-22 18:06         ` Jeff Garzik
2014-05-23  0:25           ` Peter Todd
2014-05-23  7:12           ` Wladimir
2014-05-23 16:38             ` Mark Friedenbach
2014-05-23 16:48             ` Kyle Jerviss
2014-05-23 17:32               ` Gregory Maxwell
2014-05-23 10:23     ` Wladimir
2014-06-09 15:34       ` Chris Beams
2014-05-21 20:25   ` David A. Harding
2014-05-22  1:09     ` Chris Beams

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=7B48B9D4-5FB0-42CA-A462-C20D3F345A9A@beams.io \
    --to=chris@beams.io \
    --cc=bitcoin-development@lists.sourceforge.net \
    --cc=laanwj@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox