I’m curious to hear what the Lemmy programming community thinks of this!
- The author argues against signing Git commits, stating that it adds unnecessary complexity to systems.
- The author believes that signing commits perpetuates an engineering culture of blindly adopting complex tools.
- The consequences of signing Git commits are likely to be subtle and not as dramatic as some may believe.
Archive link: https://archive.ph/vjDeK
For anyone wondering - why would I need it? I’m already signed in to github, the commit is commited using my ssh-key, Github knows it’s me. Why would I need another verification?
Here’s why. https://dev.to/martiliones/how-i-got-linus-torvalds-in-my-contributors-on-github-3k4g . If someone commits with your email (or github noreply email, which is public), it will get attributed to you. I was just trying it with colleauges account, and so far I haven’t found any way how to tell that it really wasn’t him.