PGP signing commits

Tomaz Canabrava tomaz.canabrava at gmail.com
Fri Jun 12 07:32:26 BST 2026


On Thu, Jun 11, 2026 at 10:34 PM Sven Brauch <mail at svenbrauch.de> wrote:

> Hi,
>
> On 11.06.26 21:12, Martin Bednar wrote:
> > On the topic of requiring GPG signed commits, opened here:
> >
> https://invent.kde.org/kdevelop/kdevelop/-/merge_requests/896#note_1519822
>
> What do you effectively do with these signatures? I.e. what meaningful
> verification can you do assuming a commits is signed, in doubt, by some
> random guy nobody has ever met? At best, you can say "this and this
> contribution are by the same person", but not even the opposite is true
> since people can just say they lost their key.
>
> IMO this creates more trouble than it's worth, for new contributors but
> probably also for other people (think rebases, etc).
>

I Completely agree with Sven.
I don't see a single good reason to require gpg signed signatures,  this
will only create a higher barrier of entry for newcommers, and not just
newcommers - there are a lot of *current* developers that never bothered to
create or use a gpg signature. the tooling around it is honestly horrible.
Having the gpg signed commit is - imo - the same thing as having the
signed-off-by line.
Nothing.



> > And on a slightly related note: Anyone going to Akademy?
>
> Not this year, sorry :(
>
> Best,
> Sven
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/kdevelop-devel/attachments/20260612/d1288fba/attachment.htm>


More information about the KDevelop-devel mailing list