[FFmpeg-devel] [RFC] git and signing commits and tags

Michael Niedermayer michael at niedermayer.cc
Tue Aug 9 01:36:53 EEST 2022 

On Mon, Aug 08, 2022 at 09:26:52PM +0200, Lynne wrote:
> Aug 8, 2022, 16:50 by michael at niedermayer.cc:
> 
> > Given the recent server issues, i wonder if we should suggest/recommand
> > and document signing commits and tags
> >
> > i tried to push such commit to github and it nicely says "verified"
> > https://github.com/michaelni/FFmpeg/commit/75f196acd16fb0c0ca7a94f0c66072e7c6f736bf
> >
> > Ive generated a new gpg key for this experiment as i dont have my
> > main key on the box used for git development and also using more
> > modern eliptic curve stuff (smaller keys & sigs)
> > i will upload this key to the keyservers in case it becomes the
> > one i use for git.
> >
> 
> I sign all of my commits, 

I didnt notice, but thats good as it also proofs it works with no ill
sideeffects

Where can i find your public key ? it seems its not on the keyservers i checked


> I think it should be recommended but
> not required.

yes, for now, thats certainly the right path. In the future
this should maybe be reevaluated


> 
> One downside is that you can sign commits from others with your
> own key (for instance when pushing a patch from someone along
> with your commits, and signing all at once via rebase), which can be
> misleading, so it takes some work to reorder commits or push them
> in stages so this doesn't happen. It makes sense that it's the
> committer who's signing it, but git or github don't make a distinction
> when it comes to signing.

I dont see much harm if other commits are signed too. 

thx

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

I do not agree with what you have to say, but I'll defend to the death your
right to say it. -- Voltaire
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20220809/d8da6ee5/attachment.sig>

More information about the ffmpeg-devel mailing list