Request: Can the signed commits PR requirement be removed? #126
-
|
Signed commits are a bit advanced for new contributors to learn and creates a higher barrier to contribution. There are a couple of PRs that can be merged in if this requirement is removed: |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 2 replies
-
|
@canterberry mind if the requirement is removed? |
Beta Was this translation helpful? Give feedback.
-
|
Signed commits are a requirement across the Twuni organization, so for as long as the repo is hosted here, signed commits are a requirement. I understand that it adds friction because it requires something more of contributors than the code change itself, but the requirement does have merit! It creates cryptographically strong and service-agnostic provenance, authenticity, and integrity for commit history, defending contributions against tampering by myself or others with privileged access to the GitHub repo. It's also a small additional safeguard against contributions from bots and other potential malicious actors. It has not been my experience or observation that configuring git for signing commits is a particularly difficult or arduous task, even for junior developers. Granted, most people I have assisted with this have viewed it as a nuisance, but it has never turned out to be more than a few minutes of effort. For these reasons, I don't (personally) view requiring signed commits to be an unreasonable ask. GitHub does have some tools available for this sort of thing, which we're not currently taking advantage of. CONTRIBUTING.md and some other things that make it easy to discover what contribution requirements are, and to help ensure that PRs are healthy without reviewers having to block on procedural issues. Are there any GitHub features we could be using to help contributors follow contribution guidelines prior to PR review? |
Beta Was this translation helpful? Give feedback.
-
|
That's a good point, I'll create a PR to add a |
Beta Was this translation helpful? Give feedback.
Signed commits are a requirement across the Twuni organization, so for as long as the repo is hosted here, signed commits are a requirement. I understand that it adds friction because it requires something more of contributors than the code change itself, but the requirement does have merit!
It creates cryptographically strong and service-agnostic provenance, authenticity, and integrity for commit history, defending contributions against tampering by myself or others with privileged access to the GitHub repo. It's also a small additional safeguard against contributions from bots and other potential malicious actors.
It has not been my experience or observation that configuring git for sig…