[tbb-dev] A proposal for signing commits with gpg

Georg Koppen gk at torproject.org
Wed Apr 29 06:15:06 UTC 2020


Nicolas Vigier:
> Hi,
> 
> Attached is a proposal for signing commits with gpg.
> 
> I also added it to this branch (using number 104, although this number
> can still change before merging):
> https://gitweb.torproject.org/user/boklm/tor-browser-spec.git/commit/?h=bug_34046&id=66abcf2003c5131b24ea17d4eb164a42bff9c193

Our nightly builds do not build from every commit so one could think
about the requirement being the tip of the master branch that always
needs to be signed. That might be less of a burden for some folks and
would work for me.

An orthogonal thing we should do I think is having git push hooks in
place that already enforce that, at least for browser related branches.
There is no need to wait until tor-browser-build complains in a nightly
build. Rather the push should already fail to make sure the nightly
builds are not failing due to a non-signed tip.

Thirdly, I think it is okay if we introduce this gradually, starting
with browser related repos where we have full control over and there is
no need for any coordination/workflow change with/by other groups involved.

boklm: let me know when you feel you have incorporated the first round
of feedback sufficiently and then I'll add the proposal to the repo.
Good stuff!

Georg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tbb-dev/attachments/20200429/27674057/attachment.sig>


More information about the tbb-dev mailing list