PGP signing commits

Sven Brauch mail at svenbrauch.de
Thu Jun 11 21:34:27 BST 2026


Hi,

On 11.06.26 21:12, Martin Bednar wrote:
> On the topic of requiring GPG signed commits, opened here:
> https://invent.kde.org/kdevelop/kdevelop/-/merge_requests/896#note_1519822

What do you effectively do with these signatures? I.e. what meaningful 
verification can you do assuming a commits is signed, in doubt, by some 
random guy nobody has ever met? At best, you can say "this and this 
contribution are by the same person", but not even the opposite is true 
since people can just say they lost their key.

IMO this creates more trouble than it's worth, for new contributors but 
probably also for other people (think rebases, etc).

> And on a slightly related note: Anyone going to Akademy?

Not this year, sorry :(

Best,
Sven
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xA4AAD0019BE03F15.asc
Type: application/pgp-keys
Size: 3147 bytes
Desc: OpenPGP public key
URL: <http://mail.kde.org/pipermail/kdevelop-devel/attachments/20260611/0584f46a/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://mail.kde.org/pipermail/kdevelop-devel/attachments/20260611/0584f46a/attachment.sig>


More information about the KDevelop-devel mailing list