[Bug 559524] Should we require commits to be signed
Bugzilla Link | 559524 |
Status | NEW |
Importance | P3 normal |
Reported | Jan 24, 2020 12:10 EDT |
Modified | Feb 09, 2022 16:13 EDT |
Description
Why Sign Git Commits?
Signing a Git commit would help us confirm that the author is who they said they are with a bit more certainty.
My concern is that anyone without any legal paperwork with us could potentially submit a PR/Gerrit patch on behalf of another contributor with a valid ECA.
For example, you can easily set/change the author of a commit with this command:
git commit --amend --author="Wayne Beaton wayne.beaton@eclipse-foundation.org"
The ECA validation would be successful since Wayne does have a valid ECA on file. The problem here is that Wayne did not submit this commit.
From a legal perspective, should we consider requiring committers and contributors to sign their commit?
About commit signature verification on Github:
https://help.github.com/en/github/authenticating-to-github/about-commit-signature-verification