Skip to content

[Bug 559524] Should we require commits to be signed
Bugzilla Link 559524
Status NEW
Importance P3 normal
Reported Jan 24, 2020 12:10 EDT
Modified Feb 09, 2022 16:13 EDT

Description

Why Sign Git Commits?

Signing a Git commit would help us confirm that the author is who they said they are with a bit more certainty.

My concern is that anyone without any legal paperwork with us could potentially submit a PR/Gerrit patch on behalf of another contributor with a valid ECA.

For example, you can easily set/change the author of a commit with this command:
git commit --amend --author="Wayne Beaton wayne.beaton@eclipse-foundation.org"

The ECA validation would be successful since Wayne does have a valid ECA on file. The problem here is that Wayne did not submit this commit.

From a legal perspective, should we consider requiring committers and contributors to sign their commit?

About commit signature verification on Github:
https://help.github.com/en/github/authenticating-to-github/about-commit-signature-verification

Copyright © Eclipse Foundation, Inc. All Rights Reserved.     Privacy Policy | Terms of Use | Copyright Agent