MarcusSorealheis
commented
1 year ago This is quite a significant issue. From my point of view, we'd want to prioritize verified commits over non-verified commits for the reasons you alluded to above. I may need to spend some time investigating the full scope of the risk, but @allada owns the decision here.
aaronmondal
Commits like https://github.com/TraceMachina/turbo-cache/commit/c577db5dde9afcb26d24279fe54ae013a1d03730 are actually verified, but the signature doesn't persist when applying the rebase merge.
@allada @MarcusSorealheis @chrisstaite-menlo Since this has potential security and legal implications it seems desirable to figure out some way to improve the current settings, but I'm not sure what the best approach would be.
I'm not sure whether this is an unchangeable issue with GitHub's rebase merging implementation or if we can somehow change the settings for the repo. I know that squash merging preserves signatures correctly, but that doesn't allow creating "stacks" of commits the same way that rebasing would.