Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I, too, used to be scared of my "middle school permanent record" except just last week, I witnessed at $work a decision being reached to let old history stay in TFS and only import the current (head if you will) in git with no history at all.

I am not saying don't worry about the future or that the future doesn't matter. For most situations, git history won't matter. There is no such thing as a permanent record, not one that most people will care about anyway.

Here is my reason for why we don't need commit signing — the commit must stand on its own. Either you understand the change and approve of it, regardless of whether it was signed by Linus Torvalds or Kim Il Sun, or you don't. If you don't understand the change (or the code base) and the code base is important enough for you to go looking for a signature, chances are you should be paranoid if someone got into Linus's computer and stole his private keys.

Tl;Dr don't think too much about git signing. Do what makes you happy but know it doesn't matter either way.



I rely on Linux being secure in ways I cannot personally verify. Partly because my understanding is not deep enough but mainly beacause I don't have the huge amout of time to invest. I use thousands of pieces of very complex software (just to write this message if nothing else). The fact that Linus is prepared to stake his reputation on signing it and that reputation has been build from thousands of people being able to review his work is extreemly important to me.


If you're not looking at individual changesets/commits, how does a git signature affect you?


If I am reviewing a fork I can review the changes since a commit with a trusted siganture.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: