Re: [libvirt] [PATCH hooks 1/1] Add check for Signed-off-by in commit messages
On Mon, Jan 22, 2018 at 13:57:07 +0000, Daniel Berrange wrote:
On Mon, Jan 22, 2018 at 02:20:52PM +0100, Peter Krempa wrote:
> On Mon, Jan 22, 2018 at 13:06:28 +0000, Daniel Berrange wrote:
> > On Mon, Jan 22, 2018 at 01:20:12PM +0100, Peter Krempa wrote:
> > > On Mon, Jan 22, 2018 at 12:05:19 +0000, Daniel Berrange wrote:
> > > > This extends the update hook so that it enforces a requirement to
have a
> > > > Signed-off-by line in every commit message. This can be optionally
> > > > turned off in individual repos by setting the
"hooks.allowmissingsob"
> > > > git config variable.
> > > >
> > > > Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
> > > > ---
> > > > update | 16 +++++++++++++++-
> > > > 1 file changed, 15 insertions(+), 1 deletion(-)
[..]
> The sign-off by itself (whithout cryptographic signature) is
just
> pointless. Validity with a cryptographic signature from drive-by
> contributors can still be unproven, but at least you don't get
> impersonation.
I think these are two different axis. The sob isn't trying to address the
question of impersonation. It obviously has as a starting point that you
accept the identity of the submitter to some degree. I accept that if you
have cryptographically signed patches, that would give a stronger
validation of identity, but there's never any absolutes. So not having
a crypto signature doesn't make the sob invalid.
In that case basically nothing changes, since if we are going to use
this to be safe from licensing disputes, the reviewer/commiter still
needs to make sure that the code complies with our licensing. Asserting
the signoff changes nothing in that regard
> If everything is signed off, nothing really is.
I don't really see that.
> NACK still stands.
You are nacking something that you've accepted above will have no negative
impact on your work, but has potentially significant upside to the project.
That is very disappointing.
I think that by doing this we'll put too much false hope into the
"potentially significant upside". I just hope it will not bite us.
Anyone can assert, or sign-off anything [1].
Given the overwhelmingly positive approach to this retract my NACK, the
only thing that will change in general is that my commits will grow one
line.
I hope that I'm wrong with my pessimistic view.
Peter
[1] https://en.wikipedia.org/wiki/On_the_Internet,_nobody_knows_you're_a_dog
Attachments:
- signature.asc (application/pgp-signature — 833 bytes)