From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-dev+bounces-75606-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	by finch.gentoo.org (Postfix) with ESMTP id CBEFF138252
	for <garchives@archives.gentoo.org>; Tue, 10 May 2016 14:18:13 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 2894021C054;
	Tue, 10 May 2016 14:18:05 +0000 (UTC)
Received: from mail-yw0-f174.google.com (mail-yw0-f174.google.com [209.85.161.174])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 36D0321C012
	for <gentoo-dev@lists.gentoo.org>; Tue, 10 May 2016 14:18:04 +0000 (UTC)
Received: by mail-yw0-f174.google.com with SMTP id g133so12865496ywb.2
        for <gentoo-dev@lists.gentoo.org>; Tue, 10 May 2016 07:18:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to;
        bh=7DYhQfXxuc1PRcskufevUVihUwlhjBL2JAQVkYMuF78=;
        b=FK9DvlLJG6TXeqnLWBrRBAwGH7MqSds9psTFy7fODMclf0HsEAFZiPOi1N0qmmbgKQ
         +jzpxTTB0jpEMI/z/pNOP3X2Ps+isPQokl8S8qrUZq/JVJLOHyT1xrWFbJRJ91o4yVtC
         uOIk6H7I5KSo9bK+sYoCAIfJMvZWPd0SeIfl6partz2LcQbCO4dTNgaC0q0z5K/cn11g
         GxPD17NuKR6QInaX3387fibVPDspnQpHNPB4GSNMNsVAAsRou/SNL5KczrvFJ97I2uZa
         wh3XXCrqLsqoYzlkJ5jrRYT9KdurH87diXtousR3fVgLSjb1n2wTu9EEPk0zhOGqgH60
         D1Gg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:in-reply-to:references:date
         :message-id:subject:from:to;
        bh=7DYhQfXxuc1PRcskufevUVihUwlhjBL2JAQVkYMuF78=;
        b=ZE06kczQzcFAgai0e0+K0dY4N8/SVnoCW1FYQ0BB6yaMr1MU+ME/zAF73Nt0rmQlpN
         dGCFWp866EnM4zXAwpqftRb1DZRbE6aG1guCWBqS3yzE7NwcL1okSySb1dQVQ5iQfOdc
         dKVLtrPGsO5XMEE7O1Y2X/xhnz6LYkkzC6RIsuEC5quTV1PachNA8qcye2GGvENbZIcZ
         em3em6jRKS6IJWGT/YyoStwLPmykdThBeQJ5EvSxe9r9qcEWkaz/kz2iI+8zpsSGfIs7
         gawze0sZz25iNhay2aEOmRcxYwMyNJOOeaGNx353spUAOQ6H4SsMhGBKeROs8pF4JvKL
         fkLA==
X-Gm-Message-State: AOPr4FXqeiy1nrxjwZwAkKEGFrfmOUT6BmfHSrS5YrszhU5MVCBV/YCSHaZTAh9CqWCPc+Q+V8Aluc7wSZihwg==
Precedence: bulk
List-Post: <mailto:gentoo-dev@lists.gentoo.org>
List-Help: <mailto:gentoo-dev+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-dev+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-dev+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-dev.gentoo.org>
X-BeenThere: gentoo-dev@lists.gentoo.org
Reply-to: gentoo-dev@lists.gentoo.org
MIME-Version: 1.0
X-Received: by 10.37.118.140 with SMTP id r134mr4497162ybc.65.1462889883353;
 Tue, 10 May 2016 07:18:03 -0700 (PDT)
Received: by 10.13.241.199 with HTTP; Tue, 10 May 2016 07:18:03 -0700 (PDT)
In-Reply-To: <20160510140427.5586a519@gentoo.org>
References: <20160507235222.GA16750@ultrachro.me>
	<20160508190309.011ede63@gentoo.org>
	<CAATnKFB5vuVqbuW6hmd9EObm=V-sH9a-HDz1ORq+5OCY2AhNPw@mail.gmail.com>
	<20160510140427.5586a519@gentoo.org>
Date: Wed, 11 May 2016 02:18:03 +1200
Message-ID: <CAATnKFD3r7OOP9Bf_JXTjuFF_9D5D_JkxA9QNMznDOT-fz=z-g@mail.gmail.com>
Subject: Re: [gentoo-dev] On banning merge commits
From: Kent Fredric <kentfredric@gmail.com>
To: gentoo-dev <gentoo-dev@lists.gentoo.org>
Content-Type: text/plain; charset=UTF-8
X-Archives-Salt: a78f83a6-e8e2-4013-a6e6-48adc11590f5
X-Archives-Hash: 9cdb0491c6de70bc11345942ab77878b

On 11 May 2016 at 00:04, Alexis Ballier <aballier@gentoo.org> wrote:
> well, then I can commit crap with --author mrp@gentoo.org and claim he
> made me rebase it :)


Well, if you're going down that line ...

You don't rebase it, you just merge it, than then mrp claims obama
forced his hand to write the commit at gunpoint and sign it, and
that's why he is both --author and --committer

That's obviously silly talk :D

You put your name on it with your GPG key, then the responsibility
beyond that point is a social one, not a technical one.

The person who signed via GPG still holds the "Technical responsibility" :)

>I  understand gpg signing of commits as a way to guarantee author is
> correctly set and claims the commit.

No. GPG commit signing only guarantees "committer". That's why git
rebase re-writes committer as well as re-signing it.

The committer metadata itself is no real guarantee either, because you
can twiddle COMMIT env vars and change that on a whim, so I could
forge a commit authored by mrp and committed by aballier ... and
unless you checked the GPG sig, you'd never know that I made it.

But by design, the signature only indicates who the person was who
*committed* a commit, it can never indicate the true author.

For instance, a commit *could* in theory be authored by somebody who
has no access to a computer, and I could copy-paste that data and
upload it.

The true author would never be known /unless/ I forged author data,
but I sure was the person who committed it.

And "Commit responsibility" is what we're trying to regulate here.
"Author metadata" is just for attribution/credits sake, and a *weak*
responsibility.


-- 
Kent

KENTNL - https://metacpan.org/author/KENTNL