Re: [gentoo-dev] On banning merge commits

[Kent Fredric <kentfredric@gmail.com>]

On 11 May 2016 at 00:04, Alexis Ballier <aballier@gentoo.org> wrote:
> well, then I can commit crap with --author mrp@gentoo.org and claim he
> made me rebase it :)


Well, if you're going down that line ...

You don't rebase it, you just merge it, than then mrp claims obama
forced his hand to write the commit at gunpoint and sign it, and
that's why he is both --author and --committer

That's obviously silly talk :D

You put your name on it with your GPG key, then the responsibility
beyond that point is a social one, not a technical one.

The person who signed via GPG still holds the "Technical responsibility" :)

>I  understand gpg signing of commits as a way to guarantee author is
> correctly set and claims the commit.

No. GPG commit signing only guarantees "committer". That's why git
rebase re-writes committer as well as re-signing it.

The committer metadata itself is no real guarantee either, because you
can twiddle COMMIT env vars and change that on a whim, so I could
forge a commit authored by mrp and committed by aballier ... and
unless you checked the GPG sig, you'd never know that I made it.

But by design, the signature only indicates who the person was who
*committed* a commit, it can never indicate the true author.

For instance, a commit *could* in theory be authored by somebody who
has no access to a computer, and I could copy-paste that data and
upload it.

The true author would never be known /unless/ I forged author data,
but I sure was the person who committed it.

And "Commit responsibility" is what we're trying to regulate here.
"Author metadata" is just for attribution/credits sake, and a *weak*
responsibility.


-- 
Kent

KENTNL - https://metacpan.org/author/KENTNL