Hello! Christopher Allan Webber skribis: > On top of that, even if you run from git proper what there isn't a test > about is: can you trust those latest commits? Git doesn't really check, > at least by default. > > https://mikegerwitz.com/papers/git-horror-story > > How about this: anyone with commit access should use "signed off by" and > gpg signatures combined. We should keep some list of guix committers' > gpg keys. No commit should be pushed to guix without a gpg signature. > At this point, at least, there is some possibility of auditing things. To make progress on this front, I’ve decided to start signing all my commits, so: --8<---------------cut here---------------start------------->8--- $ git config commit.gpgsign true $ git config --global user.signingkey 090B11993D9AEBB5 --8<---------------cut here---------------end--------------->8--- I invite everyone to do the same. Hopefully, within a few weeks, we can add a commit hook to reject unsigned commits. Note that we’ll be signing patches we push on behalf of contributors who do not have commit access (reviewer’s responsibility). Also, rebasing, amending, and cherry-picking code signed by someone else would lose the original signature, which isn’t great and should be avoided, if possible. What remains to be seen, among other things, is how we’ll maintain a keyring of the committers, and how we’ll distribute it to users of ‘guix pull’; the TUF spec has clever ideas about it, but we need to see how they map to our setup. Thoughts? Ludo’.