guix-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ‘core-updates’ is gone; long live ‘core-packages-team’!


From: Leo Famulari
Subject: Re: ‘core-updates’ is gone; long live ‘core-packages-team’!
Date: Fri, 6 Sep 2024 14:06:37 -0400

On Fri, Sep 06, 2024 at 10:44:54AM -0700, Vagrant Cascadian wrote:
> Is it just me, or is rebasing branches disconcerting, as it likely means
> the person signing the commit is not necessarily the original person
> pushing the commit? This is worst for the now deprecated core-updates
> branch with many rebased commits... are people still updating the
> signed-off-by tags or whatnot?

In Guix, the "signed-off-by" tag gives credit to the reviewer of the
patch, but doesn't indicate anything about authority to push to
guix.git.

In all cases, a commit that is pushed to guix.git will be signed by an
authorized committer. The signature system ensures that.

If we are concerned about long-running branches being rebased and
commits losing their "original" signatures, I think it's not really
something to worry about. That's because the signature *only* tells us
that that the commit was signed by someone who is authorized, and it
tells us *nothing* else. The code-signing authorization is extremely
limited in scope. It doesn't tell us that the code works, is freely
licensed, is not malicious, etc. So, it doesn't matter who signs a
commit, as long as it is signed by an authorized person.

Does this respond to your concerns? Or have I misunderstood?



reply via email to

[Prev in Thread] Current Thread [Next in Thread]