46
Linux
6y

I have a confession to make....

I just started to use git two days ago.
But atleast I GPG sign my commits

Comments
  • 3
    What did you use before?
  • 10
    @gitreflog
    A tiny bit of SVN.
  • 3
    Well... There's really no point in gpg signing all your commits. As long as you sign the head before releasing. All it does is cost extra space and time to sign every single commit.
  • 3
    You're literally **the** ascended Linux monk and didn't use git, that's surprising.
  • 6
    @taigrr Not if you auto sign everything
  • 1
    Why is signing required though?
  • 2
    @Jifuna Not if your signing key is on a smartcard that requires physical interaction each time you want to perform an operation. :/
  • 1
    @Jifuna I mean, I'm basically rewording what Torvalds said so I'm probably not wrong. He did invent git after all....
  • 1
    @taigrr that also might not be enough. Signing a commit means "this is my identity, I vouch for the state of the code at this point".

    Signing at every release means you'd have to verify all changes made since the last signed commit, whereas if you can sign at every commit, you only have to verify that your changes and the parent commit are correct for that single commit.
  • 2
    @tokumei yeah, you have a point there.

    I'm gonna show my cards now: I also sign every commit, but everybody says not to, so I was trying to see if I could find an actual good argument. My use case is that I roll out changes daily to prod, so from either perspective I'm probably alright.

    It does still beg the question though, shouldn't you be verifying everything is good from head to branch before releasing a merge anyway :P
  • 1
    @taigrr

    It looks better,
Add Comment