I’m curious to hear what the Lemmy programming community thinks of this!


  • The author argues against signing Git commits, stating that it adds unnecessary complexity to systems.
  • The author believes that signing commits perpetuates an engineering culture of blindly adopting complex tools.
  • The consequences of signing Git commits are likely to be subtle and not as dramatic as some may believe.

Archive link: https://archive.ph/vjDeK

  • MajorHavoc@programming.dev
    link
    fedilink
    arrow-up
    0
    ·
    edit-2
    9 months ago

    Great read.

    I agree about the culture problem. People want to slap extra encryption into things, like a spoiler on a hatchback.

    The core issue is that the problem being addressed by signed commits is already solved.

    Did MajorHavoc write this commit?

    If it has my username, on GitHub, you’re confident it’s my commit.

    Alternately, it could be someone with so much access to my SSH keys, or to GitHib’s infrastructure, that they could easily sign commits as me, anyway.

    Signed commits might become more compelling when we start to favor fully open source federated git solutions. At that point, if I’m famously trustworthy, and the repo I submitted a signed commit to is not, then my signature could mean something.

    But even then, there’s the risk that someone interprets my 4 minute typo fix as my having some clue whether the repo is actually safe to use…