From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mout02.posteo.de (mout02.posteo.de [185.67.36.66]) by mx.groups.io with SMTP id smtpd.web10.14371.1631440417110575721 for ; Sun, 12 Sep 2021 02:53:37 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@posteo.de header.s=2017 header.b=KbBUxb0h; spf=pass (domain: posteo.de, ip: 185.67.36.66, mailfrom: mhaeuser@posteo.de) Received: from submission (posteo.de [89.146.220.130]) by mout02.posteo.de (Postfix) with ESMTPS id 58099240101 for ; Sun, 12 Sep 2021 11:53:35 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.de; s=2017; t=1631440415; bh=6+VHfXEAu6+kFhfSInGzxVRhqt+R2lYQE+78dRCaUek=; h=Subject:To:From:Date:From; b=KbBUxb0hVCRwKZRkayWm9Vtn3I51ojjNcbgAVx0Fk1/ca8uP60m/T7RSIlSWPTvdR 8qIj9UgnCAzujgFhPUCPLY6H2JeUfxJPCKKc2bDW+L7eXyT3h2mNUIq2IcuHiBvMja CXDFUNFsXcGfhBuN+yK34eZh1JqLEJ3yIO/KHnoMe4ojOE5dpEkr3wKL9NC8Bf6HHK /W89KyTum9ojrKGpRD/W0JXlEPQLqx4wJktYSxXh9nOu3hHoQZkxbumnuIEoORlUeE mfEkX8eLLCSlXH7kJgzRmc1KgsmrMZonVg9aZVgiwFm3K3++x9d/VCT4bRNJSB6d2F M27iU72hK2jOA== Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4H6lL62jc0z9rxR; Sun, 12 Sep 2021 11:53:34 +0200 (CEST) Subject: Re: [edk2-devel] Question about EDK2 and commit signing To: devel@edk2.groups.io, pedro.falcato@gmail.com References: From: =?UTF-8?B?TWFydmluIEjDpHVzZXI=?= Message-ID: <7752ca61-c66a-2667-7c3d-ab2eb10105b7@posteo.de> Date: Sun, 12 Sep 2021 09:53:34 +0000 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-GB Hey, Just my 2 cents... Contributors: Git's stance is the author doesn't really matter as long as the code is acceptable. For most people, you will not know them anyway and it does not buy you much to know they own GitHub account XY. If someone is impersonating a maintainer (who would push the changes directly after review), that would be obvious anyway. Maintainers: Why would someone have access to your SSH key but not your GPG key? Especially if your commits are auto-signed, both keys are likely equally readable. More factors do not meaningfully increase security if they are not clearly separate. I'm sure nobody minds your signatures though. :) Best regards, Marvin On 11/09/2021 20:25, Pedro Falcato wrote: > Hi everyone, > > Yesterday, when pushing my first commits to edk2-platforms (as the > Ext4Pkg maintainer), I noticed that my commits (see 7872c98 and > 71f3343) stick out like a sore thumb, as I have GPG signing on my > commits on by default (see git config commit.gpgsign), globally across > all my projects. > > Is there an official stance on signed commits? I was thinking that > commit signing, at least for the maintainers that apply and push > patches, could be useful as a way to establish authenticity for every > commit that gets to the edk2 repos. > > Best regards, > > Pedro Falcato > > > > >