James Henstridge on Nostr: npub1pfe56…9e2dm I think you're overstating the "unsigned historical commit" ...
npub1pfe56vzppw077dd04ycr8mx72dqdk0m95ccdfu2j9ak3n7m89nrsf9e2dm (npub1pfe…e2dm) I think you're overstating the "unsigned historical commit" problem. A commit signature isn't a signature of the diff to the previous revision: it covers the entire tree state and revision history leading up to the commit.
If you signed a commit whose history contained a bunch of unsigned commits attributed to you, I could infer that you believe those are genuine too. The more signed commits by different people covering that history, the more sure I could be.
The trust/verification issue is a difficult issue though. A while back, I would have said developers cross signing each other's PGP keys and using those for code signing would be the answer, but that seems more troublesome since the key server network collapsed. Also, if the project uses Github you'll need to deal with commits signed by GH's keys and decide what level of trust to place in them.
If you signed a commit whose history contained a bunch of unsigned commits attributed to you, I could infer that you believe those are genuine too. The more signed commits by different people covering that history, the more sure I could be.
The trust/verification issue is a difficult issue though. A while back, I would have said developers cross signing each other's PGP keys and using those for code signing would be the answer, but that seems more troublesome since the key server network collapsed. Also, if the project uses Github you'll need to deal with commits signed by GH's keys and decide what level of trust to place in them.