From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp12.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms9.migadu.com with LMTPS id YADwHanycGRVYAEASxT56A (envelope-from ) for ; Fri, 26 May 2023 19:55:53 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp12.migadu.com with LMTPS id cGTRHanycGRmBwAAauVa8A (envelope-from ) for ; Fri, 26 May 2023 19:55:53 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 12D13C0CB for ; Fri, 26 May 2023 19:55:53 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1q2bea-0001oK-8c; Fri, 26 May 2023 13:55:04 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1q2beY-0001n6-Rt for guix-devel@gnu.org; Fri, 26 May 2023 13:55:02 -0400 Received: from out4-smtp.messagingengine.com ([66.111.4.28]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1q2beX-0004cm-3I for guix-devel@gnu.org; Fri, 26 May 2023 13:55:02 -0400 Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id 229375C0130; Fri, 26 May 2023 13:54:59 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute3.internal (MEProxy); Fri, 26 May 2023 13:54:59 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=cc:cc:content-type:content-type:date:date:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to; s=mesmtp; t=1685123699; x=1685210099; bh=3h/dizhe2KZcQEJnfLR52ce/W/CW7Tjlw4UOwGBxTOU=; b= 1x+kKgAoTMr3QjOs4U1JkLciLEzTLd/+r8ng/HMezmO5hWZqcczznF/VJrOdpgUN 7dXQmo3Of5vUFhg017sk6jxg7nnW+XjLZNjkaO13U9vQvH/q7C270n0oYG7atXaw lCJGLUfqpHV3u+U21SAOV2UNxBamGsBR6rWpOs0lcv0= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:sender:subject :subject:to:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm1; t=1685123699; x=1685210099; bh=3h/dizhe2KZcQ EJnfLR52ce/W/CW7Tjlw4UOwGBxTOU=; b=mUo04FQvlxOS9Kmj+ELBSKoiXMeu1 HNTzmhTXXg3Bl0/lVxJRK83PUtnp1HCU8i3NH3hCBjM4Qmxgy6M2dGbIIst+1loy /poNbBI5lEYyOw8Z0CbXPBTnZjJxJWcJWut/iv2vGMXOrR+XNi9V7G7jJkpIJ2NN f7qjHIqZaOqjXpnjO61n2dsB7mmK+Rml57S4BH8N3pY6GtRx1JADFOISn/ltwHml S9cO5OyXcYX81d1/5jwWuljM58joXQq4yMlmCBsdWibLEPK7aWYMSSAvyBXaSQ3x STExAP0q7bcxr1O3IK0KnipjZh8/oRVokqgoGFnA5b3eYkfntol3VSGig== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedrfeejledgudduiecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enucfjughrpeffhffvvefukfhfgggtuggjsehgtderredttddvnecuhfhrohhmpefnvgho ucfhrghmuhhlrghrihcuoehlvghosehfrghmuhhlrghrihdrnhgrmhgvqeenucggtffrrg htthgvrhhnpeetvddtteefffffffefleefvdekkeefudevudeijeefueegleetffdvueff jeelveenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpe hlvghosehfrghmuhhlrghrihdrnhgrmhgv X-ME-Proxy: Feedback-ID: i819c4023:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Fri, 26 May 2023 13:54:58 -0400 (EDT) Date: Fri, 26 May 2023 13:54:57 -0400 From: Leo Famulari To: Josselin Poiret Cc: Maxim Cournoyer , guix-devel@gnu.org Subject: Re: Should commit signing always be required for local work? [was Re: bug#63261: Recent changes to git config cause errors for non-committers] Message-ID: References: <874jospdr2.fsf@psyduck.jhoto.kublai.com> <87y1m024rx.fsf@gmail.com> <875y8tww86.fsf@gmail.com> <87pm6xknq0.fsf@gmail.com> <877ct4r7f8.fsf@jpoiret.xyz> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="E/AHcbKMvVs8qRvk" Content-Disposition: inline In-Reply-To: <877ct4r7f8.fsf@jpoiret.xyz> Received-SPF: pass client-ip=66.111.4.28; envelope-from=leo@famulari.name; helo=out4-smtp.messagingengine.com X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: guix-devel-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN ARC-Seal: i=1; s=key1; d=yhetil.org; t=1685123753; a=rsa-sha256; cv=none; b=jtKgJDBD3m54Bkg9jGlFYWO8Kvh3IZ39CSpvi77d8jD6GJ60Nc3cOLzp7ITTn3Q9g7ZEg9 pui3NPxqwgsGEA0a/qUZ+cr5jhKs2YTImsvIoCeHor+3gwu0Aoh7isf0ru3MqX4KbYog61 zCj4PQjODIS5Ut2E2YXAjp7h7hoioLDr8s+4vVhZjZFjgkXQH9A0H3ufZKg2iFKVln57Sx 6AVruCeAHRV2mHwa4vEpybrnY/VKEHMIKu/xHWjjWkcgJd07Sub76EX8Pfq2SEWRUuHQkQ ACGx5aIyh09iTFkFTOWyq/s2uO6D8DdFuQyXHbmgLC95MmWnVAa9EZ/MtSO4iQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=famulari.name header.s=mesmtp header.b=1x+kKgAo; dkim=fail ("headers rsa verify failed") header.d=messagingengine.com header.s=fm1 header.b=mUo04FQv; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1685123753; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=3h/dizhe2KZcQEJnfLR52ce/W/CW7Tjlw4UOwGBxTOU=; b=K76iKxMuVBZTCHQWPPS8WRiHZBtxAGKKBYH4Ho60lo3n0cKtiAL3D3y7mQNY9pZyb1loV4 bmjdBZXsNWphHUvGS0kXzLeJMh6EXcCSUmkpTs6D4hpBVdaxpya8k5dr9FE65V9fm9UTs2 NFuSbJnw7m5eEX2sKP4pzMEgnTwyfjvYXB034DSAPFkqnmCg7ngHp9sjIhmXTwBurcqFMs 3oWpCWV12Ao+oWONJj2Gd5OOXa4kzCmv7Va2b+EGKSzOV7K+G3EO+Ueu2jxo68w3rIzzq3 CC6oa85P9ALbPxrH2IXZYdlu5t11yx/UpP685SM8h6zkp/xIMsRl985HvJ7Kxg== X-Migadu-Spam-Score: -2.01 X-Spam-Score: -2.01 X-Migadu-Queue-Id: 12D13C0CB X-Migadu-Scanner: scn0.migadu.com Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=famulari.name header.s=mesmtp header.b=1x+kKgAo; dkim=fail ("headers rsa verify failed") header.d=messagingengine.com header.s=fm1 header.b=mUo04FQv; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" X-TUID: qTyeFcCH9duh --E/AHcbKMvVs8qRvk Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Fri, May 19, 2023 at 11:34:35AM +0200, Josselin Poiret wrote: > I'm curious Leo, in general (not Guix because we have a pre-push hook), > how do you make sure you always publish signed commits? I don't want to > put unsigned commits anywhere except locally, but it feels like I might > just forget to sign them before pushing. In general, I don't rigorously sign Git commits for projects that aren't Guix. You could set "gpgsign = true" in '~/.gitconfig'. I do sign commits sometimes for non-Guix projects, but without a code-authentication system like Guix's, I don't perceive a strong reason to always sign commits. There is *some* reason to always sign commits, which is to provide an unambiguous statement of authorship / provenance. But, it doesn't seem like most projects have a mechanism with which to derive value from the signatures. Also, it doesn't seem like there is much demand for this, in general. Git itself offers nothing, so each project has to design their own solution. I doubt many projects would consider that effort to be worthwhile. Instead they rely on the access controls of their centralized repo, typically Github, and Github's security seems fine in practice. I think that Guix is pushing the state of the art here. --E/AHcbKMvVs8qRvk Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAmRw8nEACgkQJkb6MLrK fwhrzA/+Oe34WfY6FaQMzIhp18oXR5jWUjV95mOKi/38Al8omdo5xacvtIJGMB5S R/FZ7wo8tQuSjWWSL5llxKH7rkxFOnnp5rTYBkLH6ncMYwJaVWDygrRawdz9WvWv 50KQVipyYqdwizp5PsGq1Ru8kuzsfMqaDX1q62QLV0YEfReHhgrwEJLpzGcdHoxf ir8qMKv0t5J/wef+kfNxdSmGpW+oRlQOUJBXCeX8l3j8ZLzfJeLK2rfS+EZfQ7Op Ith3UvQHXlwgP3rxjIO8FXWrhYieQJmV2s3mfRo+Fb+ub+A3PZdYUKXNMOv8+Z80 qB5s1BjFAZELRMTWLE1Q9K/yQ0lALk7qxmrMxch3TRro8qB/LdgRPC7MvtXbO4rz qPaEN+jxAnf6wZB9E0XJDXiRM+d8GXoTnAT675/hu1riAIkyH3bTIPvk0jJPzHE8 XU6Q3ZWU/ff9OuyMzxOdssuaf+2hWz2lQzlzrgj8MdOzeccFe3EMNPoJPUzuvhS2 bT75JwzG3tsjxpn1VTS1UDewUWV98wm1VtKR3uMFiKXEa+1f4dkErSeOcnymqmCw WS0ZZsfWzr52L2G6/rRsHPgNUftDuHJuGV7omLbUBIUAr/6ljGn+Zp8C8a88Sxn2 dtNEsDiK9PmltG45vtZFvCf75uOGj9j4RsLAJqEgy6lOvSddLkc= =78bR -----END PGP SIGNATURE----- --E/AHcbKMvVs8qRvk--