[FFmpeg-devel] [RFC] git and signing commits and tags
Lynne
dev at lynne.ee
Mon Aug 8 22:26:52 EEST 2022
Aug 8, 2022, 16:50 by michael at niedermayer.cc:
> Given the recent server issues, i wonder if we should suggest/recommand
> and document signing commits and tags
>
> i tried to push such commit to github and it nicely says "verified"
> https://github.com/michaelni/FFmpeg/commit/75f196acd16fb0c0ca7a94f0c66072e7c6f736bf
>
> Ive generated a new gpg key for this experiment as i dont have my
> main key on the box used for git development and also using more
> modern eliptic curve stuff (smaller keys & sigs)
> i will upload this key to the keyservers in case it becomes the
> one i use for git.
>
I sign all of my commits, I think it should be recommended but
not required.
One downside is that you can sign commits from others with your
own key (for instance when pushing a patch from someone along
with your commits, and signing all at once via rebase), which can be
misleading, so it takes some work to reorder commits or push them
in stages so this doesn't happen. It makes sense that it's the
committer who's signing it, but git or github don't make a distinction
when it comes to signing.
More information about the ffmpeg-devel
mailing list