Rubygems: Should committers be required to sign their commits?

Created on 16 Aug 2019 · 4Comments · Source: rubygems/rubygems

As part of the general security effort, I'm wondering if we should require that commits be signed by our committers:

https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work

As to why, here's a good article:

https://www.linuxjournal.com/content/signing-git-commits

From the article:

As useful as signing packages and ISOs is, an even more important use of GPG signing is in signing Git commits. When you sign a Git commit, you can prove that the code you submitted came from you and wasn't altered while you were transferring it. You also can prove that you submitted the code and not someone else.

The article also shows how you can set your signing key automatically.

Thoughts?

administrative

Source

djberg96

Most helpful comment

I think a good first step would be to recommend this in our CONTRIBUTING.md by pointing to a nice guide to help setting this up.

deivid-rodriguez on 17 Aug 2019

👍2

All 4 comments

I'm not opposed to this, but am not knowledgeable enough about the subject to have a strong opinion either way. I'm planning to read more about it (starting with the articles you linked to) in a bit.

However, I think a few things are worth noting when considering this.

First, I don't think bundlerbot signs commits. I'm not entirely sure of the significance of this, but it seems relevant, so I figured I'd mention it.

Second, it is also worth noting that, if we require commit signing, we will need an onboarding process that includes information on how to set it up. The effort put into both writing that and helping people who didn't realize until after committing code (and thus need to redo their commits) is not inherently a deal-breaker, but is worth considering when weighing the pros and cons.