by jvehent on 9/11/18, 3:46 PM with 54 comments
by Boulth on 9/14/18, 10:57 AM
> ...
> Require all commits to be GPG signed, using keys known in advance.
Is it possible to configure "all commits gpg signed" on Github? I haven't seen this option.
Another interesting thing that Github lacks is signed git pushes (`gpg push --signed`) that allows audit logging who moved which object to which ref.
by throw28363 on 9/14/18, 11:29 AM
Please, stop it. Do it the way the kernel does it. A hierarchy of maintainers that reviews the work sent by others and a single person with commit access to the main repository.
I am amazed that these smart people have not realizead yet that unrestricted commit access is simpy a no-go, with or without signed commits/tags.