python / devguide

The Python developer's guide
https://devguide.python.org/
Creative Commons Zero v1.0 Universal
1.88k stars 784 forks source link

Add info on how to verify/sign commits on GitHub #834

Open Mariatta opened 2 years ago

Mariatta commented 2 years ago

GitHub documentation about verified commits: https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification

We should advise contributors to sign and verify their commits. This way, we can be sure that they actually own the email address they use in their commits.

gpshead commented 2 years ago

That's a false promise. GPG does not verify identity or email addresses. It merely verifies access to a private key. Logging into GitHub effectively does the same thing.

For a signature to do more than that people would have to become GPG zealots with key signing chains of trust and a pinky swear never store their GPG privates credentials on the same machine that ever has their GitHub credentials or equivalents. I can probably count people who meet that criteria in Python land on one hand.

Signed commits within git may be useful in some git circumstances, and aren't harmful, but they run the risk of people believing that signature means something it cannot without a level of OpSec we can't require of committers, let alone contributors. It seems like a more interesting concept for actually distributed projects rather than things centralizing on GitHub.

So if we're going to mention this in the docs just merely link to the GitHub info on it as something people might want to do. Let's not make any authentication claims about it.

Apologies for standing on a ๐Ÿงผ ๐ŸŽ. ๐Ÿ˜‹

Mariatta commented 2 years ago

Thanks for the correction!