Teams of people using signed commits...

Teams of people using signed commits...

[Eric Fleischman]

We're very interested in using signed commits but are struggling to
figure out how to use it in the real world. Would love some advice
from those who know more.

We think we know how to deal with signed commits & auto-reject such
commits at build time, as well as clean up. But we're worried that
folks won't sign on the way in accidentally. We don't know of a good
way to force the team to always sign commits yet, especially as they
get new machines and what hav eyou.

Is there a way to add something to the repo config to force, or at
least default, this?
We considered forking git and forcing this on the team, forcing them
to sign for our repos. But we'd love to avoid this sort of
heavy-handed approach.

Thx!
Eric

Re: Teams of people using signed commits...

[Magnus Bäck]

On Friday, June 14, 2013 at 15:02 EDT,
     Eric Fleischman <efleischman@gmail.com> wrote:

> We're very interested in using signed commits but are struggling to
> figure out how to use it in the real world. Would love some advice
> from those who know more.

What do you expect to gain from using signed commits? I'm not saying
they don't have a place, but depending on why you find them attractive
there might be alternatives. For example, won't signed tags do?

> We think we know how to deal with signed commits & auto-reject such
> commits at build time, as well as clean up. But we're worried that
> folks won't sign on the way in accidentally. We don't know of a good
> way to force the team to always sign commits yet, especially as they
> get new machines and what hav eyou.

Hooks? A pre-commit hook that runs on the machine and/or a server-side
hook (pre-receive or update?) should be able to enforce this. Well, a
client hook is trivially bypassed so it would just be useful against
mistakes and forgetfullness.

> Is there a way to add something to the repo config to force, or at
> least default, this?

I don't believe you can configure Git to sign commits by default, but
if you control the machine of your machines (assuming a corporate)
environment you can set up a template directory for hook distribution.
Again, that's only for client hooks that are okay to be circumventable.

[...]

-- 
Magnus Bäck
baeck@google.com

Re: Teams of people using signed commits...

[Fredrik Gustafsson]

On Fri, Jun 14, 2013 at 12:02:01PM -0700, Eric Fleischman wrote:
> We think we know how to deal with signed commits & auto-reject such
> commits at build time, as well as clean up. But we're worried that
> folks won't sign on the way in accidentally. We don't know of a good
> way to force the team to always sign commits yet, especially as they
> get new machines and what hav eyou.
> 
> Is there a way to add something to the repo config to force, or at
> least default, this?
> We considered forking git and forcing this on the team, forcing them
> to sign for our repos. But we'd love to avoid this sort of
> heavy-handed approach.
> 
> Thx!
> Eric

Hi,
I might miss something here, but couldn't you just write a pre-commit
hook on the client side to help the developers remember  and a post-receive
hook on the server side to actually enforce this?

With that said, I'm a bit skeptical about enforcing ways to use
software. It usually hide real social problems instead. For example, if
your developers doesn't understand the value in always signing their
commits, can you trust that they protect their gpg-key well enough?
-- 
Med vänliga hälsningar
Fredrik Gustafsson

tel: 0733-608274
e-post: iveqy@iveqy.com