Filippo Valsorda :go: on Nostr: git commit signing by the Committer is a broken model: it requires the key to be ...
git commit signing by the Committer is a broken model: it requires the key to be available in every env (hence the "signed by GitHub" verified commits); it asks developers to manage keys; it has no good support for key rotation; and signs a statement of dubious value ("this is a commit I made or rebased at some point").
git push signing is better, but really what matters is "what did the code host serve as main at time T" and that's a perfect statement to put in a code host-maintained tlog.
Published at
2023-06-06 11:59:33Event JSON
{
"id": "d74c8a41d508c33adfe66c69eed81c2c5681d1e28df30a43e0c4404992f73395",
"pubkey": "75c4441558d260c0ca589ce8fa89fd5052eccf0b09fca823796810a986ad1c8e",
"created_at": 1686052773,
"kind": 1,
"tags": [
[
"e",
"70d33b1919cc523b69e1036784b8d16f5eac87e82cffa1f90263bf2f0c0321a0",
"wss://relay.mostr.pub",
"reply"
],
[
"mostr",
"https://abyssdomain.expert/users/filippo/statuses/110497154537383546"
]
],
"content": "git commit signing by the Committer is a broken model: it requires the key to be available in every env (hence the \"signed by GitHub\" verified commits); it asks developers to manage keys; it has no good support for key rotation; and signs a statement of dubious value (\"this is a commit I made or rebased at some point\").\n\ngit push signing is better, but really what matters is \"what did the code host serve as main at time T\" and that's a perfect statement to put in a code host-maintained tlog.",
"sig": "2b86b028e543aaa72698e04dcbde29c7df7817f99e130421a5e2b8a38ff27650f5d6f5b5c02faf84f3cad1817d129e254ffa07f5ea48572d49ca04e7ec3c8e0a"
}
