Add info on how to verify/sign commits on GitHub #834
Comments
|
That's a false promise. GPG does not verify identity or email addresses. It merely verifies access to a private key. Logging into GitHub effectively does the same thing. For a signature to do more than that people would have to become GPG zealots with key signing chains of trust and a pinky swear never store their GPG privates credentials on the same machine that ever has their GitHub credentials or equivalents. I can probably count people who meet that criteria in Python land on one hand. Signed commits within git may be useful in some git circumstances, and aren't harmful, but they run the risk of people believing that signature means something it cannot without a level of OpSec we can't require of committers, let alone contributors. It seems like a more interesting concept for actually distributed projects rather than things centralizing on GitHub. So if we're going to mention this in the docs just merely link to the GitHub info on it as something people might want to do. Let's not make any authentication claims about it. Apologies for standing on a |
|
Thanks for the correction! |
GitHub documentation about verified commits: https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification
We should advise contributors to sign and verify their commits. This way, we can be sure that they actually own the email address they use in their commits.
The text was updated successfully, but these errors were encountered: