1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
|
Received: from sog-mx-3.v43.ch3.sourceforge.com ([172.29.43.193]
helo=mx.sourceforge.net)
by sfs-ml-2.v29.ch3.sourceforge.com with esmtp (Exim 4.76)
(envelope-from <chris@beams.io>) id 1WnAJK-0001Of-CK
for bitcoin-development@lists.sourceforge.net;
Wed, 21 May 2014 17:28:14 +0000
Received: from chello084114181075.1.15.vie.surfer.at ([84.114.181.75]
helo=dh35.beams.io) by sog-mx-3.v43.ch3.sourceforge.com with esmtp
(Exim 4.76) id 1WnAJH-000439-NX
for bitcoin-development@lists.sourceforge.net;
Wed, 21 May 2014 17:28:14 +0000
Received: from localhost (localhost [127.0.0.1])
by dh35.beams.io (Postfix) with ESMTP id EDB731F0814;
Wed, 21 May 2014 18:39:56 +0200 (CEST)
X-Virus-Scanned: amavisd-new at dh35.beams.io
Received: from dh35.beams.io ([127.0.0.1])
by localhost (dh35.beams.io [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id ScuXDoqcItFB; Wed, 21 May 2014 18:39:46 +0200 (CEST)
Received: from [192.168.0.69] (chello084114181075.1.15.vie.surfer.at
[84.114.181.75])
by dh35.beams.io (Postfix) with ESMTPSA id C1CE61F07F2;
Wed, 21 May 2014 18:39:46 +0200 (CEST)
Content-Type: multipart/signed;
boundary="Apple-Mail=_DA12415C-6762-4C59-930A-571CA7B88460";
protocol="application/pgp-signature"; micalg=pgp-sha512
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.2\))
From: Chris Beams <chris@beams.io>
In-Reply-To: <CA+s+GJBNWh0Py9KB4Y+B19ACeHOygtkLrPw5SbZ0SrVs50pqvg@mail.gmail.com>
Date: Wed, 21 May 2014 18:39:44 +0200
Message-Id: <7B48B9D4-5FB0-42CA-A462-C20D3F345A9A@beams.io>
References: <CA+s+GJBNWh0Py9KB4Y+B19ACeHOygtkLrPw5SbZ0SrVs50pqvg@mail.gmail.com>
To: Wladimir <laanwj@gmail.com>
X-Mailer: Apple Mail (2.1878.2)
X-Spam-Score: 2.3 (++)
X-Spam-Report: Spam Filtering performed by mx.sourceforge.net.
See http://spamassassin.org/tag/ for more details.
0.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address
[84.114.181.75 listed in dnsbl.sorbs.net]
1.3 URI_HEX URI: URI hostname has long hexadecimal sequence
1.0 HTML_MESSAGE BODY: HTML included in message
X-Headers-End: 1WnAJH-000439-NX
Cc: Bitcoin Dev <bitcoin-development@lists.sourceforge.net>
Subject: Re: [Bitcoin-development] PSA: Please sign your git commits
X-BeenThere: bitcoin-development@lists.sourceforge.net
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: <bitcoin-development.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
<mailto:bitcoin-development-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=bitcoin-development>
List-Post: <mailto:bitcoin-development@lists.sourceforge.net>
List-Help: <mailto:bitcoin-development-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
<mailto:bitcoin-development-request@lists.sourceforge.net?subject=subscribe>
X-List-Received-Date: Wed, 21 May 2014 17:28:14 -0000
--Apple-Mail=_DA12415C-6762-4C59-930A-571CA7B88460
Content-Type: multipart/alternative;
boundary="Apple-Mail=_FD74865F-B43E-4BD4-8E42-0104BF84618E"
--Apple-Mail=_FD74865F-B43E-4BD4-8E42-0104BF84618E
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=us-ascii
Hi Wladimir,
I'm personally happy to comply with this for any future commits, but =
wonder if you've considered the arguments against commit signing [1]? =
Note especially the reference therein to Linus' original negative =
opinion on signed commits [2].
I came across these when searching for a way to enable signing by =
default, e.g. a `git config` option that might allow for this. =
Unfortunately, there isn't one, meaning it's likely that most folks will =
forget to do this most of the time.
If you're really serious about it, you should probably reject pull =
requests without signed commits; otherwise, signing becomes meaningless =
because only honest authors do it, and forgetful or malicious ones can =
avoid it without penalty.
That said, I'm not sure that creating such a barrier to contribution is =
worth it.
- Chris
[1]: http://stackoverflow.com/a/10166916/622403
[2]: =
http://git.661346.n2.nabble.com/GPG-signing-for-git-commit-td2582986.html
On May 21, 2014, at 2:23 PM, Wladimir <laanwj@gmail.com> wrote:
> Hello all,
>=20
> When you're contributing to Bitcoin Core development please sign your
> git commits. This is easy to do and will help in assuring the
> integrity of the tree.
>=20
> How to sign your commits?
> ------------------------------------------
>=20
> Provide the `-S` flag (or `--gpg-sign`) to git commit when you commit
> your changes, for example
>=20
> git commit -m "Commit message" -S
>=20
> Optionally you can provide a key id after the -S option to sign with a
> specific key.
>=20
> What if I forgot?
> -------------------------
>=20
> You can retroactively sign your previous commit using --amend, for =
example
>=20
> git commit -S --amend
>=20
> If you need to go further back, you can use the interactive rebase
> command with 'edit'. Replace HEAD~3 with the base commit from which
> you want to start.
>=20
> git rebase -i HEAD~3
>=20
> Replace 'pick' by 'edit' for the commit that you want to sign and the
> rebasing will stop after that commit. Then you can amend the commit as
> above. Afterwards, do
>=20
> git rebase --continue
>=20
> As this will rewrite history, you cannot do this when your commit is
> already merged. In that case, too bad, better luck next time.
>=20
> If you rewrite history for another reason - for example when squashing
> commits - make sure that you re-sign as the signatures will be lost.
>=20
> How to check if commits are signed?
> -------------------------------------------------------
>=20
> Use git log with show-signature,
>=20
> git log --show-signature
>=20
> commit 6fcdad787f1fb381a3a0fe6b1a1e45477426dccb
> gpg: Signature made Wed 21 May 2014 12:27:55 PM CEST using RSA key
> ID 2346C9A6
> gpg: Good signature from "Wladimir J. van der Laan =
<laanwj@gmail.com>"
> Author: Wladimir J. van der Laan <laanwj@gmail.com>
> Date: Wed May 21 12:27:37 2014 +0200
>=20
> qt: Periodic language update
> ...
>=20
> You can also pass the --show-signature option to `git show` to check a
> single commit.
>=20
> If you do this on the current repository you'll see that I'm almost
> the only person signing commits. I would like more people to get into
> this habit.
>=20
> How to sign merges?
> --------------------------------
>=20
> When using the github interface to merge a pull request, the resulting
> merge commit is not signed.
>=20
> Pieter Wullie wrote a script that simplifies merging and signing. It
> can be found in contrib/devtools. Setup instructions can be found in
> the README.md in that directory. After setting it up for the
> repository you can use the script in the following way:
>=20
> contrib/devtools/github-merge.sh 1234
>=20
> Replace 1234 by the pull request number that you want to merge. It
> will merge the pull request and drop you into a shell so you can
> verify changes and test. Once satisfied, exit the shell and answer the
> questions to merge and sign it and push upstream automatically (or
> not).
>=20
> Please use this script when possible for merging instead of the github
> interface.
>=20
> --------------------------
>=20
> Wladimir
>=20
> =
--------------------------------------------------------------------------=
----
> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
> Instantly run your Selenium tests across 300+ browser/OS combos.
> Get unparalleled scalability from the best Selenium testing platform =
available
> Simple to use. Nothing to install. Get started now for free."
> http://p.sf.net/sfu/SauceLabs
> _______________________________________________
> Bitcoin-development mailing list
> Bitcoin-development@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/bitcoin-development
--Apple-Mail=_FD74865F-B43E-4BD4-8E42-0104BF84618E
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
charset=us-ascii
<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html =
charset=3Dus-ascii"></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">Hi =
Wladimir,<div><br></div><div>I'm personally happy to comply with this =
for any future commits, but wonder if you've considered the arguments =
against commit signing [1]? Note especially the reference therein to =
Linus' original negative opinion on signed commits =
[2].</div><div><br></div><div>I came across these when searching for a =
way to enable signing by default, e.g. a `git config` option that might =
allow for this. Unfortunately, there isn't one, meaning it's likely that =
most folks will forget to do this most of the =
time.</div><div><br></div><div>If you're really serious about it, you =
should probably reject pull requests without signed commits; otherwise, =
signing becomes meaningless because only honest authors do it, and =
forgetful or malicious ones can avoid it without =
penalty.</div><div><br></div><div>That said, I'm not sure that creating =
such a barrier to contribution is worth =
it.</div><div><div><div><br></div><div>- =
Chris</div><div><br></div><div>[1]: <a =
href=3D"http://stackoverflow.com/a/10166916/622403">http://stackoverflow.c=
om/a/10166916/622403</a></div><div>[2]: <a =
href=3D"http://git.661346.n2.nabble.com/GPG-signing-for-git-commit-td25829=
86.html">http://git.661346.n2.nabble.com/GPG-signing-for-git-commit-td2582=
986.html</a></div><div><br></div><div>On May 21, 2014, at 2:23 PM, =
Wladimir <<a href=3D"mailto:laanwj@gmail.com">laanwj@gmail.com</a>> =
wrote:</div><div><br></div><blockquote type=3D"cite">Hello =
all,<br><br>When you're contributing to Bitcoin Core development please =
sign your<br>git commits. This is easy to do and will help in assuring =
the<br>integrity of the tree.<br><br>How to sign your =
commits?<br>------------------------------------------<br><br>Provide =
the `-S` flag (or `--gpg-sign`) to git commit when you commit<br>your =
changes, for example<br><br> git commit -m "Commit =
message" -S<br><br>Optionally you can provide a key id after the -S =
option to sign with a<br>specific key.<br><br>What if I =
forgot?<br>-------------------------<br><br>You can retroactively sign =
your previous commit using --amend, for example<br><br> =
git commit -S --amend<br><br>If you need to go further =
back, you can use the interactive rebase<br>command with 'edit'. Replace =
HEAD~3 with the base commit from which<br>you want to start.<br><br> =
git rebase -i HEAD~3<br><br>Replace 'pick' by 'edit' =
for the commit that you want to sign and the<br>rebasing will stop after =
that commit. Then you can amend the commit as<br>above. Afterwards, =
do<br><br> git rebase --continue<br><br>As this will =
rewrite history, you cannot do this when your commit is<br>already =
merged. In that case, too bad, better luck next time.<br><br>If you =
rewrite history for another reason - for example when =
squashing<br>commits - make sure that you re-sign as the signatures will =
be lost.<br><br>How to check if commits are =
signed?<br>-------------------------------------------------------<br><br>=
Use git log with show-signature,<br><br> git log =
--show-signature<br><br> commit =
6fcdad787f1fb381a3a0fe6b1a1e45477426dccb<br> gpg: =
Signature made Wed 21 May 2014 12:27:55 PM CEST using RSA key<br>ID =
2346C9A6<br> gpg: Good signature from "Wladimir J. van =
der Laan <<a =
href=3D"mailto:laanwj@gmail.com">laanwj@gmail.com</a>>"<br> =
Author: Wladimir J. van der Laan <<a =
href=3D"mailto:laanwj@gmail.com">laanwj@gmail.com</a>><br> =
Date: Wed May 21 12:27:37 2014 =
+0200<br><br> qt: Periodic =
language update<br> ...<br><br>You can also pass the =
--show-signature option to `git show` to check a<br>single =
commit.<br><br>If you do this on the current repository you'll see that =
I'm almost<br>the only person signing commits. I would like more people =
to get into<br>this habit.<br><br>How to sign =
merges?<br>--------------------------------<br><br>When using the github =
interface to merge a pull request, the resulting<br>merge commit is not =
signed.<br><br>Pieter Wullie wrote a script that simplifies merging and =
signing. It<br>can be found in contrib/devtools. Setup instructions can =
be found in<br>the README.md in that directory. After setting it up for =
the<br>repository you can use the script in the following way:<br><br> =
contrib/devtools/github-merge.sh 1234<br><br>Replace =
1234 by the pull request number that you want to merge. It<br>will merge =
the pull request and drop you into a shell so you can<br>verify changes =
and test. Once satisfied, exit the shell and answer the<br>questions to =
merge and sign it and push upstream automatically =
(or<br>not).<br><br>Please use this script when possible for merging =
instead of the =
github<br>interface.<br><br>--------------------------<br><br>Wladimir<br>=
<br>----------------------------------------------------------------------=
--------<br>"Accelerate Dev Cycles with Automated Cross-Browser Testing =
- For FREE<br>Instantly run your Selenium tests across 300+ browser/OS =
combos.<br>Get unparalleled scalability from the best Selenium testing =
platform available<br>Simple to use. Nothing to install. Get started now =
for free."<br><a =
href=3D"http://p.sf.net/sfu/SauceLabs">http://p.sf.net/sfu/SauceLabs</a><b=
r>_______________________________________________<br>Bitcoin-development =
mailing =
list<br>Bitcoin-development@lists.sourceforge.net<br>https://lists.sourcef=
orge.net/lists/listinfo/bitcoin-development<br></blockquote></div><br></di=
v></body></html>=
--Apple-Mail=_FD74865F-B43E-4BD4-8E42-0104BF84618E--
--Apple-Mail=_DA12415C-6762-4C59-930A-571CA7B88460
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename=signature.asc
Content-Type: application/pgp-signature;
name=signature.asc
Content-Description: Message signed with OpenPGP using GPGMail
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org
iQIcBAEBCgAGBQJTfNbRAAoJED0hT49bxe1zzh8P/0iDDM+p9g0D57+iKD4USwZw
f0hkkVgEe1B2KCcwGWkHOg0OL/7p09Q98mJ5rEk4nJwqP8f1IpQSBDhZiEc0FcAe
HYFz3GgsTO33AQhOatKl9JAKiA7Xx3IrpZ4Bzk1mXURfTeNaYLc82GC6UQUyq5/i
JFfMqw4soV4z6mR6cCVHrBiBJz4TiMptvYru2LSDahQJqfGZIqlZGxtTYtNb0UQa
HKwkA66+iWjsCCJUTiqWOc+xZ+4GBCdLVZNhRmuPF4N6dCFkV9BL6JcqC9Eygrgx
YIvZ2kSqcz4p7MNxzK4m/T0E/uUU+Oodzn9C/zez9PAMvkmLvV9Amv6Q77ducZTf
6E+8KblIyCj28jEEdfzCjRj0cRSZxPrFF9rSp5s3kHF+kYVeJ1hddzgIVQKJBOlV
2ZQNr0xe6IURRQobWfaFQqSaiAHXFmnP8vxteZfUDhH50SwG5OJ+5kt6gW8JllVi
RtHfAcTpIT0hn48ewrsZAwnyZTq2JZnTbksgfXDawGzB3CaXB8b/3Q1vXLLpsY/v
wMAlfPLcx8SWxjw290o0K2Dh0udN6aODRFL4B8f863n47L//pyZAgW/KrOrxglMm
fmG1J33iHBDnnpEtWVEriNdv77P2quMjZruovO/mu8/PzMZTZ/vCwql80QL67R/S
fryvXd80CLJzCWyTV63f
=LvE/
-----END PGP SIGNATURE-----
--Apple-Mail=_DA12415C-6762-4C59-930A-571CA7B88460--
|
