Patch flow into the mainline for 4.14

Posted Oct 25, 2017 2:59 UTC (Wed) by unixbhaskar (guest, #44758)
Parent article: Patch flow into the mainline for 4.14

Making all commit from everyone as mandatory to be signed..otherwise refused to be pulled in or merged in the mainline.Sounds harsh, but that is what it should be.I believe may wise heads are there already thinking in that line and am surprised not yet imposed or implemented. Love to know the constraints.

Patch flow into the mainline for 4.14

Posted Oct 27, 2017 3:37 UTC (Fri) by flussence (guest, #85566) [Link] (2 responses)

Signing in git really isn't as hard or scary as people think it is. Make a key if necessary, configure gpg-agent so it caches key passwords for at least a few seconds (or else rebases will be painful), and set commit.gpgSign.

The only recurring effort is re-entering passwords, but there's nothing to stop you setting gpg-agent's cache time really high if it gets annoying.

Patch flow into the mainline for 4.14

Posted Oct 27, 2017 12:45 UTC (Fri) by JFlorian (guest, #49650) [Link]

In general use of gpg-agent, I wish the cache time could be dynamic. So, say it starts with a default of 10m. I use it immediately for a key and then again at 8m into that lifetime. Here it would be nice to get an automatic extension of another 8m and so on until it does finally timeout due to no use. I think that would be much more convenient and likely more secure simply because might mean fewer people use reall high timeout values. Better convenience might also translate to higher adoption rates.

Patch flow into the mainline for 4.14

Posted Oct 27, 2017 16:40 UTC (Fri) by Creideiki (subscriber, #38747) [Link]

It kind of is, if you want to do it properly. I have some scripts (available at https://github.com/saab-simc-admin/workflow-tools) for maintaining an all-signed workflow, and the amount of corner cases and badly designed interfaces I have to handle is staggering.

Not to mention the fact that since nobody uses signatures, the code isn't tested - libgit2 (which is, among other things, the base for Ruby's Git support) used to corrupt the plaintext of signed commits due to a use-after-free bug.