mastodon.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
The original server operated by the Mastodon gGmbH non-profit

Administered by:

Server stats:

329K
active users

Chris Siebenmann

My standard attitude on digital signatures for anything, Git commits included, is that you should not sign anything unless you understand what you're committing to when you do so. This usually includes "what people expect from you when you sign things". Signing things creates social and/or legal liability. Do not blindly assume that liability without thought, especially if people want you to.

In re: fosstodon.org/@vbatts/11218557

FosstodonVincent Batts (@vbatts@fosstodon.org)PSA: now more than ever, sign your #git commits. Either `git commit -sS` every commit; or `git config commit.gpgSign 1` in a project; or `git config --global commit.gpgSign 1` Use #GPG or even your existing #SSH key. More info: - https://docs.github.com/en/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key - https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work

@cks do you have any liability traps for examples?

This has never occurred to me, so I wish for a few concrete instances?

@shapr I don't have any examples but I certainly think there are social expectations based around the broad idea that if you sign something, you are in some way taking responsibility for it.

(In part because if signing things doesn't create any expectations, why do people want it? They wan it for vague 'trust' reasons, at least.)

@shapr Legally, signatures in general make it hard to repudiate doing something, even if you didn't and your signature was forged and/or compromised.

@cks @shapr I feel like the implied social contract is the error like the implication that an HTTPS site is safe because it has a padlock and is secure.

IMHO the signature just means that it is me (or my keypair) that is taking this action.

We need to separate taking this action from any implied social contract.

@cks Getting people to read their own code before it goes into use is hard enough anyway!

@oclsc @cks as someone working in a shop that just passed a "signed commits only" policy and backed it with technical enforcement, EXTREMELY AGREE

"What do you mean I have to _read_ these pull requests?!? There are 12,500 modified files in this one!" "So up until now your workflow has been to just... merge blindly without looking at the contents..?" "Of course, what else could we possibly do with diffs that large?"

(At least it's surfacing stuff like this. That's... some kind of step.)