On Fri, May 19, 2023 at 11:34:35AM +0200, Josselin Poiret wrote:
> I'm curious Leo, in general (not Guix because we have a pre-push hook),
> how do you make sure you always publish signed commits?  I don't want to
> put unsigned commits anywhere except locally, but it feels like I might
> just forget to sign them before pushing.

In general, I don't rigorously sign Git commits for projects that aren't
Guix.

You could set "gpgsign = true" in '~/.gitconfig'.

I do sign commits sometimes for non-Guix projects, but without a
code-authentication system like Guix's, I don't perceive a strong reason
to always sign commits.

There is *some* reason to always sign commits, which is to provide an
unambiguous statement of authorship / provenance. But, it doesn't seem
like most projects have a mechanism with which to derive value from the
signatures. Also, it doesn't seem like there is much demand for this, in
general.

Git itself offers nothing, so each project has to design their own
solution. I doubt many projects would consider that effort to be
worthwhile. Instead they rely on the access controls of their
centralized repo, typically Github, and Github's security seems fine in
practice.

I think that Guix is pushing the state of the art here.