From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0.migadu.com ([2001:41d0:403:58f0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms13.migadu.com with LMTPS id gCYzDR0N3Wa6swAAqHPOHw:P1 (envelope-from ) for ; Sun, 08 Sep 2024 02:34:05 +0000 Received: from aspmx1.migadu.com ([2001:41d0:403:58f0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0.migadu.com with LMTPS id gCYzDR0N3Wa6swAAqHPOHw (envelope-from ) for ; Sun, 08 Sep 2024 04:34:05 +0200 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=debian.org header.s=1.vagrant.user header.b=AEoaU64h; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1725762845; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=Q+GJ6iCYLpHmzddEn3dPVTnvvEbhzyYaOCQrrk/EG3I=; b=bwkLySVVGzB/iETvhdvfqr/rgu3aVwonHi13HMFAhFh3DvrsdJdlydJD1m2kOe94CDRvqe 0PIDvMC0QYJO2x5YpCqvudWJVp6wutujXhqLHe4fkkKXJamsJsXbvcpPFp+kde+KkBnR3J n76GZAcRjQuT2i2HFZFGppgkKf7PtI2CjR9FTosYD9BgRrhoxbVmEMUFF0gPVXFUqswONP 6TaryGPlgrb6ZRVcDF677xm2UDKYTc9bawOxSOzFImJvT7I9pw7h9lOpme8OO0xZbtc/d6 /mQE8hy3pDlJGvDVl+QnE6Z6K1l2uGsoFgJtE5yfeKoMF70sUQwE+pNtu76ITw== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1725762845; a=rsa-sha256; cv=none; b=EaHF2C8RUfFg3d13VmyK+0WPnzYlA5xEvOK9iRg1wrg+pzzIGVdmfV86tWnxel0IJFwLNN izQjVPKJ7z4R5DBc4OuJWbtaEcwpb4j9UxThCwkF4ulbmJ6VGRxeRy0LGD3cqtQd6qyMYn KsHJ79uWRqTY9iuwbI5t1716YEOnBfma6BV4z4eHxLFKItDWSGBCvEfyNIXhRrr2H25g7a vqmB/HIZ+vmtkULwyihKtsoJY2siKPVeQH9p0/WQCM5z3WutMVF5p0rcuSjK4czjRW0bMg YeyATXXW7GDH3jTjOkWNSYbvQ3TArG+9SpNNmAaqP0ymc79GixJ2hz0DI6krPQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=debian.org header.s=1.vagrant.user header.b=AEoaU64h; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 99A31796FD for ; Sun, 08 Sep 2024 04:34:04 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1sn7k2-0001jq-Ew; Sat, 07 Sep 2024 22:33:31 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sn7jz-0001de-8M for guix-devel@gnu.org; Sat, 07 Sep 2024 22:33:27 -0400 Received: from cascadia.aikidev.net ([173.255.214.101]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sn7jx-0005Xc-4T; Sat, 07 Sep 2024 22:33:26 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=debian.org; s=1.vagrant.user; t=1725762796; bh=SwvuqF3w93PDgyuO5nGQRRzkxw9Qp2O2AGO/u+zjhUs=; h=From:To:Cc:Subject:In-Reply-To:References:Date:From; b=AEoaU64h64VXtD5ANoQpcJQgRRlUUSl8HUZicOmoOTnYVBwOrS6B0vabHdwDJh11a rVzRtOtMlZlKU4DzGYo4zu0PC+I4eQVO7X77S0EXA8l6RTZjzUiRVKJ9omC4W5nZs7 OQI9egZqYB/vc4zxceM37DQSx1v5BsadMJLTvj74WTxLQlJ8GgGUWmdYxrRBMNuFUp QjgPnFiAxZWHMv5MPINUl0ZMEyj6nebnI17tZY/CpHGyxuvuT4wQTBQPsIZ8RMlE8O iy8SOFtl6Zlxsqu11MfySg7/xt9FOtQRnRAXlTXrH8L+LgFtMdVtfT6vQrfFkDHzLY 66fvndgJvuRvQ== Received: from localhost (unknown [IPv6:2600:3c01:e000:21:7:77:0:50]) by cascadia.aikidev.net (Postfix) with ESMTPSA id CD5431D8C; Sat, 7 Sep 2024 19:33:16 -0700 (PDT) From: Vagrant Cascadian To: Leo Famulari Cc: Ludovic =?utf-8?Q?Court=C3=A8s?= , Simon Tournier , guix-devel Subject: Re: Rebasing commits and re-signing before mergeing (Was: =?utf-8?Q?=E2=80=98core-updates=E2=80=99?= is gone; long live =?utf-8?Q?=E2=80=98core-packages-team=E2=80=99!=29?= In-Reply-To: References: <87le0cj13e.fsf@inria.fr> <87v7zby3r6.fsf@gmail.com> <87zfol170t.fsf@gnu.org> <87y144oew9.fsf@wireframe> <87tteso7ag.fsf@wireframe> Date: Sat, 07 Sep 2024 19:33:12 -0700 Message-ID: <875xr6oown.fsf@wireframe> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Received-SPF: none client-ip=173.255.214.101; envelope-from=vagrant@debian.org; helo=cascadia.aikidev.net X-Spam_score_int: -21 X-Spam_score: -2.2 X-Spam_bar: -- X-Spam_report: (-2.2 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.136, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: guix-devel-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US X-Migadu-Spam-Score: -8.17 X-Spam-Score: -8.17 X-Migadu-Queue-Id: 99A31796FD X-Migadu-Scanner: mx11.migadu.com X-TUID: vzheUiV80DdV --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On 2024-09-07, Leo Famulari wrote: > On Fri, Sep 06, 2024 at 01:29:11PM -0700, Vagrant Cascadian wrote: >> > In Guix, the "signed-off-by" tag gives credit to the reviewer of the >> > patch, but doesn't indicate anything about authority to push to >> > guix.git. >>=20 >> That sounds more like a Reviewed-by tag. >>=20 >> from doc/contributing.texi: >>=20 >> When pushing a commit on behalf of somebody else, please add a >> @code{Signed-off-by} line at the end of the commit log message---e.g., >> with @command{git am --signoff}. This improves tracking of who did >> what. > > We used the signed-off-by tag for years before we started signing > commits, so in Guix it has also indicated the person who performed the > primary review of the patch / commit. Well, guix documentation mentions both Signed-off-by and Reviewed-by, even if historically there was different practice in use... Given that "pushing a commit on behalf of someone else" also necessarily requires for all practical purposes "signing" the commit with a valid key, I read that as the two going together. Although there might be a Signed-off-by by someone other than the signer. Not a huge deal, really, in any case. >> My understanding of what properly signed commits tell me, at least in >> the context of Guix, is that the person who has signed a given commit >> has made reasonable efforts to ensure the code works, is freely >> licensed, and is not malicious, etc. > > I see. That's a misconception. The commit signature can only be used as > a code-signing authorization tool, to control access to the > authoritative copy of the codebase and, transitively, to control access > to users' computers. > > The project leadership does aim to only authorize people they believe > will make the efforts you describe above. > > But in Guix, the requirement to make those efforts is only enforced > socially. > > There are no mechanisms to ensure that the build is not broken on the > master branch, etc. I do not see the distinction between social and tehnical mechanisms here as... meaningful? The code-signing authorization tool (e.g. technical) is useful way to track that social agreements of the project are being respected (e.g. social) or not, and a mechanism to maintain those agreements. That it also tracks the authoritative codebase seems a desireable side-effect... which has both social and technical elements. I have no illusions that someone could push a broken commit or otherwise imperfect commit; I have even done so myself at least once or twice! The question is more what to do when that happens, or repeatedly happens, which has various technical measures to enforce the social norms. live well, vagrant --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iHUEARYKAB0WIQRlgHNhO/zFx+LkXUXcUY/If5cWqgUCZt0M6AAKCRDcUY/If5cW qjJpAQCe0UV4Dm68Yze0rGTeeUT5L739TLBvOpgaXay/cTMwsQD/V29Gv83rOWHO iDpIz34e7Yvx86JjroHYg0JqjiL6UAE= =+qaq -----END PGP SIGNATURE----- --=-=-=--