From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from sog-mx-3.v43.ch3.sourceforge.com ([172.29.43.193] helo=mx.sourceforge.net) by sfs-ml-4.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1Wu1ak-00051i-5O for bitcoin-development@lists.sourceforge.net; Mon, 09 Jun 2014 15:34:34 +0000 X-ACL-Warn: Received: from chello084114181075.1.15.vie.surfer.at ([84.114.181.75] helo=dh35.beams.io) by sog-mx-3.v43.ch3.sourceforge.com with esmtp (Exim 4.76) id 1Wu1ai-0005W7-9E for bitcoin-development@lists.sourceforge.net; Mon, 09 Jun 2014 15:34:34 +0000 Received: from localhost (localhost [127.0.0.1]) by dh35.beams.io (Postfix) with ESMTP id CCE7E34BAFB; Mon, 9 Jun 2014 17:35:04 +0200 (CEST) X-Virus-Scanned: amavisd-new at dh35.beams.io Received: from dh35.beams.io ([127.0.0.1]) by localhost (dh35.beams.io [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hCz49pBt1T9W; Mon, 9 Jun 2014 17:35:03 +0200 (CEST) Received: from [192.168.0.69] (chello084114181075.1.15.vie.surfer.at [84.114.181.75]) by dh35.beams.io (Postfix) with ESMTPSA id 0CCBD34BAEE; Mon, 9 Jun 2014 17:35:03 +0200 (CEST) Content-Type: multipart/signed; boundary="Apple-Mail=_F2A2D0B3-E93A-4BBB-8140-C33AF8FA38ED"; protocol="application/pgp-signature"; micalg=pgp-sha512 Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.2\)) From: Chris Beams In-Reply-To: Date: Mon, 9 Jun 2014 17:34:18 +0200 Message-Id: <83628434-1F3A-4C39-942A-F7238E61D0DA@beams.io> References: <7B48B9D4-5FB0-42CA-A462-C20D3F345A9A@beams.io> To: Wladimir , Bitcoin Dev X-Mailer: Apple Mail (2.1878.2) X-Spam-Score: 1.3 (+) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 1.3 RCVD_IN_RP_RNBL RBL: Relay in RNBL, https://senderscore.org/blacklistlookup/ [84.114.181.75 listed in bl.score.senderscore.com] 0.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address [84.114.181.75 listed in dnsbl.sorbs.net] X-Headers-End: 1Wu1ai-0005W7-9E Subject: Re: [Bitcoin-development] PSA: Please sign your git commits X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Jun 2014 15:34:34 -0000 --Apple-Mail=_F2A2D0B3-E93A-4BBB-8140-C33AF8FA38ED Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii An update on this topic: With the release of Git 2.0, automatic commit signing is now possible = with the 'commit.gpgsign' configuration option [1]. This means that = interactively rebased or cherry-picked commits are also re-signed on the = fly. The absence of this ability in prior versions of Git meant that = signing every commit wasn't a practical policy for anyone using rebase = as a regular part of their local development workflow. Now it can be. Merging also works as expected with this feature turned on. One caveat I've identified thus far is a negative impact on speed when a = large number of commits are involved. Any time you're signing a commit, = you're interacting with the gpg-agent daemon, and this is roughly an = order of magnitude slower than signing without committing. Speed without signing: $ echo '' >> README.md; time git commit -am"Test commit speed" = --no-gpg-sign [...] real 0m0.031s and with: $ echo '' >> README.md; time git commit -am"Test commit speed" = --gpg-sign [...] real 0m0.360s For a single commit, this slowdown is negligible as it is still well = below sub-second. However, if one were rebasing a local development = branch with dozens of commits, you can see how the time would quickly = add up. Personally, I think that in practice I'll be willing to deal with with a = few seconds' wait on those relatively rare occasions, and therefore I'm = going to keep auto-signing enabled for now [2]. - Chris [1]: http://article.gmane.org/gmane.comp.version-control.git/250341 [2]: https://github.com/cbeams/dotfiles/commit/d7da74 On May 23, 2014, at 12:23 PM, Wladimir wrote: > On Wed, May 21, 2014 at 7:10 PM, Wladimir wrote: >> Hello Chris, >>=20 >> On Wed, May 21, 2014 at 6:39 PM, Chris Beams wrote: >>> I'm personally happy to comply with this for any future commits, but = wonder >>> if you've considered the arguments against commit signing [1]? Note >>> especially the reference therein to Linus' original negative opinion = on >>> signed commits [2]. >>=20 >> Yes, I've read it. But would his alternative, signing tags, really >> help us more here? How would that work? How would we have to = structure >> the process? >=20 > I think a compromise - that is similar to signing tags but would still > work with the github process, and leaves a trail after merge - would > be: if you submit a stack of commits, only sign the most recent one. >=20 > As each commit contains the cryptographic hash of the previous commit, > which in turns contains the hash of that before it up to the root > commit, signing every commit if you have multiple in a row is > redundant. >=20 > I'll update the document and put it in the repository. >=20 > Wladimir --Apple-Mail=_F2A2D0B3-E93A-4BBB-8140-C33AF8FA38ED Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJTldP7AAoJED0hT49bxe1zTy8P/jttliCBLhDuJG1psuzxwWj/ moo6b3bhEmH8QcsyvpyReAR78tUccwTzt8IJxk+yUWngWm82JGy8J00WWJiifBgk GIXALE2lAB2DiDNJFlDskBZoIYOV+dHSuSJyBM20AHQYIdrlPb0N+0Tk0RM16zTK SMquFWJip/qzQahLDsGAzh8uv+ZSZd271j0nHYDOBRUzlUb9tp4kwHtn3m+trjzS HcPzKslCUCOezMBm70DXHo7hCCsu9J5G5ZI3Cm3L++nlSwTescBZMbBV9cC9QjVm w7NpcdyyRxcMbagiseqiqiP54XofvtyiN9aL/12Bcx5cQuAx83YjqOAVldIQ1RxB Lq6ZRhgvdPPU5Fb7Aa5sNVSS2EnloH6Ld0hPM7c7dtJxZRBQK1ssoyXsL7MNGKzR FpORwxmX/31VJDOYUTS7vD5fA6dmauNcqTsNYt2AQnKURqnyt2UOlwoHWorD2IEm qK9Vzog4lmk2wxm4queW9J2c7NYY6moSHZ1tOq/XaW9XObvttLKmVW4iL8nTmZcZ sJynk0SCy4tw604w1aF+P+Aj495WdcfAjsaPO8BKK8jBbYKPZiTSpjPXJTKKzh7G J18YlHOKIcBMzwCn1gDiqW2+DAQ49l9k/zmwzW37LjcjFezEA6YYUITxUKmPw5g4 2jXB4dBGsNlH7WGgF27z =oRca -----END PGP SIGNATURE----- --Apple-Mail=_F2A2D0B3-E93A-4BBB-8140-C33AF8FA38ED--