Ranter
Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Comments
-
taigrr8786yWell... There's really no point in gpg signing all your commits. As long as you sign the head before releasing. All it does is cost extra space and time to sign every single commit.
-
You're literally **the** ascended Linux monk and didn't use git, that's surprising.
-
tokumei21256y@Jifuna Not if your signing key is on a smartcard that requires physical interaction each time you want to perform an operation. :/
-
taigrr8786y@Jifuna I mean, I'm basically rewording what Torvalds said so I'm probably not wrong. He did invent git after all....
-
tokumei21256y@taigrr that also might not be enough. Signing a commit means "this is my identity, I vouch for the state of the code at this point".
Signing at every release means you'd have to verify all changes made since the last signed commit, whereas if you can sign at every commit, you only have to verify that your changes and the parent commit are correct for that single commit. -
taigrr8786y@tokumei yeah, you have a point there.
I'm gonna show my cards now: I also sign every commit, but everybody says not to, so I was trying to see if I could find an actual good argument. My use case is that I roll out changes daily to prod, so from either perspective I'm probably alright.
It does still beg the question though, shouldn't you be verifying everything is good from head to branch before releasing a merge anyway :P
I have a confession to make....
I just started to use git two days ago.
But atleast I GPG sign my commits
rant