On Wed, May 11, 2016 at 10:34 AM, Kent Fredric <kentfred...@gmail.com> wrote: > > There's an added security measure that exists /outside/ the gentoo > source control. >
It also fails differently. If I find out that somebody compromised ssh in some way, doubt is cast on any commit during the period in which the ssh server was vulnerable, and that could go back quite a ways. If I find out that somebody's gpg key was compromised, then at most that one developer's commits are tainted. Obviously an ssh breach could be limited to a single account as well, but it has a server-wide component for which a parallel in git doesn't really exist. In any case, nobody has proposed getting rid of the requirement that a known key be used to sign all direct commits to the tree. That direct commit could have a parent that is not signed with a key known to Gentoo. My sense is that most here would agree that most of our routine commits should just be rebased, but merge commits have a legitimate place, and it wouldn't hurt to better document what we consider best practices (which seem to include rebasing merge commits when practical). I suspect that improvement is ultimately going to come down to volunteer interest in creating that documentation, as with much of the rest of our workflow. -- Rich
