On Fri, Oct 18, 2019 at 08:34:17AM +0200, Nicolas Belouin wrote: > On 10/18/19 4:52 AM, Willy Tarreau wrote: > > On Thu, Oct 17, 2019 at 09:54:47PM -0400, Konstantin Ryabitsev wrote: > >> On Thu, Oct 17, 2019 at 06:30:29PM -0700, Greg KH wrote: > >>>> It could only possibly work if nobody ever adds their own > >>>> "Signed-Off-By" or > >>>> any other bylines. I expect this is a deal-breaker for most maintainers. > >>> Yeah it is :( > >>> > >>> But, if we could just have the signature on the code change, not the > >>> changelog text, that would help with that issue. > >> We totally should, and I even mused on how we would do that here: > >> https://urldefense.proofpoint.com/v2/url?u=https-3A__public-2Dinbox.org_git_20190910121324.GA6867-40pure.paranoia.local_&d=DwICaQ&c=slrrB7dE8n7gBJbeO0g-IQ&r=yZMPY-APGKyVIX7HgQFZJA&m=-7NJMybpa_bV7Y1FxWmqo1cUHOsDXAsRR1vvpQmYhyI&s=iFHNwBfYAPr---qMdv0mvKQAxqjXxvf1mAiAYZG6DIE&e= > >> > >> However, since git's PGP signatures are made for the content in the actual > >> commit record (tree hash, parent, author, commit message, etc), the only way > >> we could preserve them between the email and the git tree is if we never > >> modify any of that data. The SOB and other trailers would have to only be > >> applied to the merge commit, or migrate into commit notes. > > There's also the possibility to handle this a bit like we do when adding > > comments before the SOB: a PGP signature would apply to the text *before* > > it only. We could then have long chains of SOB, PGP, SOB, PGP etc. > > > > Willy > > I don't think it can work that easily as the signed content is not just > the message. > It would need git to support nesting signatures and to allow amending a > commit without > touching the signature and to allow adding one to cover the new content > and to have a > way to verify every step. > Moreover you won't be able to reparent the commit as a maintainer (wich > I think is > also a deal-breaker) For reference, we did something similar here[1]. I'll acknowledge it's somewhat of a niche use, and there's a danger with multiple signature types that could mean many different things... I do wonder if an over-lying tool could probably provide with more granular verification over mutiple gpg payloads inside of a commit... Cheers! -Santiago. [1] https://dl.acm.org/citation.cfm?id=3196523