Received: from sog-mx-3.v43.ch3.sourceforge.com ([172.29.43.193] helo=mx.sourceforge.net) by sfs-ml-2.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from <chris@beams.io>) id 1WnAJK-0001Of-CK for bitcoin-development@lists.sourceforge.net; Wed, 21 May 2014 17:28:14 +0000 Received: from chello084114181075.1.15.vie.surfer.at ([84.114.181.75] helo=dh35.beams.io) by sog-mx-3.v43.ch3.sourceforge.com with esmtp (Exim 4.76) id 1WnAJH-000439-NX for bitcoin-development@lists.sourceforge.net; Wed, 21 May 2014 17:28:14 +0000 Received: from localhost (localhost [127.0.0.1]) by dh35.beams.io (Postfix) with ESMTP id EDB731F0814; Wed, 21 May 2014 18:39:56 +0200 (CEST) X-Virus-Scanned: amavisd-new at dh35.beams.io Received: from dh35.beams.io ([127.0.0.1]) by localhost (dh35.beams.io [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ScuXDoqcItFB; Wed, 21 May 2014 18:39:46 +0200 (CEST) Received: from [192.168.0.69] (chello084114181075.1.15.vie.surfer.at [84.114.181.75]) by dh35.beams.io (Postfix) with ESMTPSA id C1CE61F07F2; Wed, 21 May 2014 18:39:46 +0200 (CEST) Content-Type: multipart/signed; boundary="Apple-Mail=_DA12415C-6762-4C59-930A-571CA7B88460"; protocol="application/pgp-signature"; micalg=pgp-sha512 Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.2\)) From: Chris Beams <chris@beams.io> In-Reply-To: <CA+s+GJBNWh0Py9KB4Y+B19ACeHOygtkLrPw5SbZ0SrVs50pqvg@mail.gmail.com> Date: Wed, 21 May 2014 18:39:44 +0200 Message-Id: <7B48B9D4-5FB0-42CA-A462-C20D3F345A9A@beams.io> References: <CA+s+GJBNWh0Py9KB4Y+B19ACeHOygtkLrPw5SbZ0SrVs50pqvg@mail.gmail.com> To: Wladimir <laanwj@gmail.com> X-Mailer: Apple Mail (2.1878.2) X-Spam-Score: 2.3 (++) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address [84.114.181.75 listed in dnsbl.sorbs.net] 1.3 URI_HEX URI: URI hostname has long hexadecimal sequence 1.0 HTML_MESSAGE BODY: HTML included in message X-Headers-End: 1WnAJH-000439-NX Cc: Bitcoin Dev <bitcoin-development@lists.sourceforge.net> Subject: Re: [Bitcoin-development] PSA: Please sign your git commits X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: <bitcoin-development.lists.sourceforge.net> List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>, <mailto:bitcoin-development-request@lists.sourceforge.net?subject=unsubscribe> List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=bitcoin-development> List-Post: <mailto:bitcoin-development@lists.sourceforge.net> List-Help: <mailto:bitcoin-development-request@lists.sourceforge.net?subject=help> List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>, <mailto:bitcoin-development-request@lists.sourceforge.net?subject=subscribe> X-List-Received-Date: Wed, 21 May 2014 17:28:14 -0000 --Apple-Mail=_DA12415C-6762-4C59-930A-571CA7B88460 Content-Type: multipart/alternative; boundary="Apple-Mail=_FD74865F-B43E-4BD4-8E42-0104BF84618E" --Apple-Mail=_FD74865F-B43E-4BD4-8E42-0104BF84618E Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Hi Wladimir, I'm personally happy to comply with this for any future commits, but = wonder if you've considered the arguments against commit signing [1]? = Note especially the reference therein to Linus' original negative = opinion on signed commits [2]. I came across these when searching for a way to enable signing by = default, e.g. a `git config` option that might allow for this. = Unfortunately, there isn't one, meaning it's likely that most folks will = forget to do this most of the time. If you're really serious about it, you should probably reject pull = requests without signed commits; otherwise, signing becomes meaningless = because only honest authors do it, and forgetful or malicious ones can = avoid it without penalty. That said, I'm not sure that creating such a barrier to contribution is = worth it. - Chris [1]: http://stackoverflow.com/a/10166916/622403 [2]: = http://git.661346.n2.nabble.com/GPG-signing-for-git-commit-td2582986.html On May 21, 2014, at 2:23 PM, Wladimir <laanwj@gmail.com> wrote: > Hello all, >=20 > When you're contributing to Bitcoin Core development please sign your > git commits. This is easy to do and will help in assuring the > integrity of the tree. >=20 > How to sign your commits? > ------------------------------------------ >=20 > Provide the `-S` flag (or `--gpg-sign`) to git commit when you commit > your changes, for example >=20 > git commit -m "Commit message" -S >=20 > Optionally you can provide a key id after the -S option to sign with a > specific key. >=20 > What if I forgot? > ------------------------- >=20 > You can retroactively sign your previous commit using --amend, for = example >=20 > git commit -S --amend >=20 > If you need to go further back, you can use the interactive rebase > command with 'edit'. Replace HEAD~3 with the base commit from which > you want to start. >=20 > git rebase -i HEAD~3 >=20 > Replace 'pick' by 'edit' for the commit that you want to sign and the > rebasing will stop after that commit. Then you can amend the commit as > above. Afterwards, do >=20 > git rebase --continue >=20 > As this will rewrite history, you cannot do this when your commit is > already merged. In that case, too bad, better luck next time. >=20 > If you rewrite history for another reason - for example when squashing > commits - make sure that you re-sign as the signatures will be lost. >=20 > How to check if commits are signed? > ------------------------------------------------------- >=20 > Use git log with show-signature, >=20 > git log --show-signature >=20 > commit 6fcdad787f1fb381a3a0fe6b1a1e45477426dccb > gpg: Signature made Wed 21 May 2014 12:27:55 PM CEST using RSA key > ID 2346C9A6 > gpg: Good signature from "Wladimir J. van der Laan = <laanwj@gmail.com>" > Author: Wladimir J. van der Laan <laanwj@gmail.com> > Date: Wed May 21 12:27:37 2014 +0200 >=20 > qt: Periodic language update > ... >=20 > You can also pass the --show-signature option to `git show` to check a > single commit. >=20 > If you do this on the current repository you'll see that I'm almost > the only person signing commits. I would like more people to get into > this habit. >=20 > How to sign merges? > -------------------------------- >=20 > When using the github interface to merge a pull request, the resulting > merge commit is not signed. >=20 > Pieter Wullie wrote a script that simplifies merging and signing. It > can be found in contrib/devtools. Setup instructions can be found in > the README.md in that directory. After setting it up for the > repository you can use the script in the following way: >=20 > contrib/devtools/github-merge.sh 1234 >=20 > Replace 1234 by the pull request number that you want to merge. It > will merge the pull request and drop you into a shell so you can > verify changes and test. Once satisfied, exit the shell and answer the > questions to merge and sign it and push upstream automatically (or > not). >=20 > Please use this script when possible for merging instead of the github > interface. >=20 > -------------------------- >=20 > Wladimir >=20 > = --------------------------------------------------------------------------= ---- > "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE > Instantly run your Selenium tests across 300+ browser/OS combos. > Get unparalleled scalability from the best Selenium testing platform = available > Simple to use. Nothing to install. Get started now for free." > http://p.sf.net/sfu/SauceLabs > _______________________________________________ > Bitcoin-development mailing list > Bitcoin-development@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/bitcoin-development --Apple-Mail=_FD74865F-B43E-4BD4-8E42-0104BF84618E Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=us-ascii <html><head><meta http-equiv=3D"Content-Type" content=3D"text/html = charset=3Dus-ascii"></head><body style=3D"word-wrap: break-word; = -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">Hi = Wladimir,<div><br></div><div>I'm personally happy to comply with this = for any future commits, but wonder if you've considered the arguments = against commit signing [1]? Note especially the reference therein to = Linus' original negative opinion on signed commits = [2].</div><div><br></div><div>I came across these when searching for a = way to enable signing by default, e.g. a `git config` option that might = allow for this. Unfortunately, there isn't one, meaning it's likely that = most folks will forget to do this most of the = time.</div><div><br></div><div>If you're really serious about it, you = should probably reject pull requests without signed commits; otherwise, = signing becomes meaningless because only honest authors do it, and = forgetful or malicious ones can avoid it without = penalty.</div><div><br></div><div>That said, I'm not sure that creating = such a barrier to contribution is worth = it.</div><div><div><div><br></div><div>- = Chris</div><div><br></div><div>[1]: <a = href=3D"http://stackoverflow.com/a/10166916/622403">http://stackoverflow.c= om/a/10166916/622403</a></div><div>[2]: <a = href=3D"http://git.661346.n2.nabble.com/GPG-signing-for-git-commit-td25829= 86.html">http://git.661346.n2.nabble.com/GPG-signing-for-git-commit-td2582= 986.html</a></div><div><br></div><div>On May 21, 2014, at 2:23 PM, = Wladimir <<a href=3D"mailto:laanwj@gmail.com">laanwj@gmail.com</a>> = wrote:</div><div><br></div><blockquote type=3D"cite">Hello = all,<br><br>When you're contributing to Bitcoin Core development please = sign your<br>git commits. This is easy to do and will help in assuring = the<br>integrity of the tree.<br><br>How to sign your = commits?<br>------------------------------------------<br><br>Provide = the `-S` flag (or `--gpg-sign`) to git commit when you commit<br>your = changes, for example<br><br> git commit -m "Commit = message" -S<br><br>Optionally you can provide a key id after the -S = option to sign with a<br>specific key.<br><br>What if I = forgot?<br>-------------------------<br><br>You can retroactively sign = your previous commit using --amend, for example<br><br> = git commit -S --amend<br><br>If you need to go further = back, you can use the interactive rebase<br>command with 'edit'. Replace = HEAD~3 with the base commit from which<br>you want to start.<br><br> = git rebase -i HEAD~3<br><br>Replace 'pick' by 'edit' = for the commit that you want to sign and the<br>rebasing will stop after = that commit. Then you can amend the commit as<br>above. Afterwards, = do<br><br> git rebase --continue<br><br>As this will = rewrite history, you cannot do this when your commit is<br>already = merged. In that case, too bad, better luck next time.<br><br>If you = rewrite history for another reason - for example when = squashing<br>commits - make sure that you re-sign as the signatures will = be lost.<br><br>How to check if commits are = signed?<br>-------------------------------------------------------<br><br>= Use git log with show-signature,<br><br> git log = --show-signature<br><br> commit = 6fcdad787f1fb381a3a0fe6b1a1e45477426dccb<br> gpg: = Signature made Wed 21 May 2014 12:27:55 PM CEST using RSA key<br>ID = 2346C9A6<br> gpg: Good signature from "Wladimir J. van = der Laan <<a = href=3D"mailto:laanwj@gmail.com">laanwj@gmail.com</a>>"<br> = Author: Wladimir J. van der Laan <<a = href=3D"mailto:laanwj@gmail.com">laanwj@gmail.com</a>><br> = Date: Wed May 21 12:27:37 2014 = +0200<br><br> qt: Periodic = language update<br> ...<br><br>You can also pass the = --show-signature option to `git show` to check a<br>single = commit.<br><br>If you do this on the current repository you'll see that = I'm almost<br>the only person signing commits. I would like more people = to get into<br>this habit.<br><br>How to sign = merges?<br>--------------------------------<br><br>When using the github = interface to merge a pull request, the resulting<br>merge commit is not = signed.<br><br>Pieter Wullie wrote a script that simplifies merging and = signing. It<br>can be found in contrib/devtools. Setup instructions can = be found in<br>the README.md in that directory. After setting it up for = the<br>repository you can use the script in the following way:<br><br> = contrib/devtools/github-merge.sh 1234<br><br>Replace = 1234 by the pull request number that you want to merge. It<br>will merge = the pull request and drop you into a shell so you can<br>verify changes = and test. Once satisfied, exit the shell and answer the<br>questions to = merge and sign it and push upstream automatically = (or<br>not).<br><br>Please use this script when possible for merging = instead of the = github<br>interface.<br><br>--------------------------<br><br>Wladimir<br>= <br>----------------------------------------------------------------------= --------<br>"Accelerate Dev Cycles with Automated Cross-Browser Testing = - For FREE<br>Instantly run your Selenium tests across 300+ browser/OS = combos.<br>Get unparalleled scalability from the best Selenium testing = platform available<br>Simple to use. Nothing to install. Get started now = for free."<br><a = href=3D"http://p.sf.net/sfu/SauceLabs">http://p.sf.net/sfu/SauceLabs</a><b= r>_______________________________________________<br>Bitcoin-development = mailing = list<br>Bitcoin-development@lists.sourceforge.net<br>https://lists.sourcef= orge.net/lists/listinfo/bitcoin-development<br></blockquote></div><br></di= v></body></html>= --Apple-Mail=_FD74865F-B43E-4BD4-8E42-0104BF84618E-- --Apple-Mail=_DA12415C-6762-4C59-930A-571CA7B88460 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJTfNbRAAoJED0hT49bxe1zzh8P/0iDDM+p9g0D57+iKD4USwZw f0hkkVgEe1B2KCcwGWkHOg0OL/7p09Q98mJ5rEk4nJwqP8f1IpQSBDhZiEc0FcAe HYFz3GgsTO33AQhOatKl9JAKiA7Xx3IrpZ4Bzk1mXURfTeNaYLc82GC6UQUyq5/i JFfMqw4soV4z6mR6cCVHrBiBJz4TiMptvYru2LSDahQJqfGZIqlZGxtTYtNb0UQa HKwkA66+iWjsCCJUTiqWOc+xZ+4GBCdLVZNhRmuPF4N6dCFkV9BL6JcqC9Eygrgx YIvZ2kSqcz4p7MNxzK4m/T0E/uUU+Oodzn9C/zez9PAMvkmLvV9Amv6Q77ducZTf 6E+8KblIyCj28jEEdfzCjRj0cRSZxPrFF9rSp5s3kHF+kYVeJ1hddzgIVQKJBOlV 2ZQNr0xe6IURRQobWfaFQqSaiAHXFmnP8vxteZfUDhH50SwG5OJ+5kt6gW8JllVi RtHfAcTpIT0hn48ewrsZAwnyZTq2JZnTbksgfXDawGzB3CaXB8b/3Q1vXLLpsY/v wMAlfPLcx8SWxjw290o0K2Dh0udN6aODRFL4B8f863n47L//pyZAgW/KrOrxglMm fmG1J33iHBDnnpEtWVEriNdv77P2quMjZruovO/mu8/PzMZTZ/vCwql80QL67R/S fryvXd80CLJzCWyTV63f =LvE/ -----END PGP SIGNATURE----- --Apple-Mail=_DA12415C-6762-4C59-930A-571CA7B88460--