[FFmpeg-devel] [PATCH v2] doc/git-howto.texi: Document commit signing

Michael Niedermayer michael at niedermayer.cc
Sun Aug 28 20:50:41 EEST 2022


On Tue, Aug 23, 2022 at 03:07:53PM -0300, James Almer wrote:
> On 8/23/2022 3:00 PM, Michael Niedermayer wrote:
> > On Wed, Aug 10, 2022 at 12:19:02AM +0200, Michael Niedermayer wrote:
> > > On Tue, Aug 09, 2022 at 04:38:56PM -0300, James Almer wrote:
> > > > On 8/9/2022 4:34 PM, Michael Niedermayer wrote:
> > > > > From: Michael Niedermayer <michael-git at niedermayer.cc>
> > [...]
> > > 
> > > > 
> > > > > +github consider mismatches a reason to declare such commits unverified. After generating a key you
> > > > > +can add it to the MAINTAINER file and upload it to a keyserver.
> > > > 
> > > > Maybe link some external documentation about gpg keys, explaining the
> > > > difference between public and private keys,
> > > 
> > > what do you recommend ?
> > 
> > ping ?
> > we could link to the gpg docs but that seems kind of silly
> 
> I have no recommendation.
> 
> > 
> > 
> > > 
> > > 
> > > > how to encrypt the private one
> > > > with a passphrase, etc.
> > > 
> > > Have you tried to generate a gpg key without a passphrase ?
> 
> I probably mixed it in my mind with ssh keys, where you can store a private
> key unencrypted.
> 
> > > I just tried, and failed, gpg keeps asking for a passphrase until you enter
> > > one or kill it. It kept haunting me and asking for a passphrase even after
> > > trying ctrl-c
> > > 
> > > 
> > > > Sites like gitlab tell you to not attempt to upload private keys,
> > > 
> > > ok
> > > 
> > > 
> > > > so i
> > > > imagine quite a lot of people have mistakenly done so in the past.
> > > 
> > > imagine?
> 
> "Every sign has a story". If Gitlab tells you to make sure to not attempt to
> upload a private key, then it could be that it has happened at some point.
> 
> > > 
> > > but what do you suggest? we can document how someone can create a key
> > > upload it and so on. You can provide me with a url that describes a
> > > working documentation for that, i surely do not have one. alot of
> > > documentations are somewhat bad. Many keyservers have died recently
> > > some existing keys like DSA seem to have some affinity to SHA1, and
> > > SHA1 is rejected today while at the same time still default on many
> > > setups, the one documentation i saw today to fix that DSA/SHA1 issue
> > > requires you to have a backup as it breaks your keys and is wrong.
> 
> If there's no good documentation or tutorial for this, then lets not bother
> with it. Your patch should be fine as is.

There may be a good one, its just that i dont know what to link to

will apply

thx

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Never trust a computer, one day, it may think you are the virus. -- Compn
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20220828/bc248574/attachment.sig>


More information about the ffmpeg-devel mailing list