gemini://alexschroeder.ch/2024-01-25-signed-commits

The post on commit signing by @glyph@mastodon.social reminds me of my reluctance to electronically sign private emails. To me, signing documents is a tool society uses against the people doing the signing. It’s a liability I take upon myself in order to get something: a wedding, a house – the other party is binding me to something. Conversely, when I’m not getting something of value I’m not signing anything. I prefer the liberty to repudiate everything. “I didn’t write this.” I’m not promising anything.

Let's go back to signed commits, however. When looking at it from the point of view of a corporation, I feel that cryptographically signed commits don't help against bugs, malware, spies, or anything like that.

No, signed commits provide a different kind of security, if you can call it that. The only leverage signed commits provide is that the corporation can blame the person who signed the commit and inflict consequences on them because it's hard to deny that they did sign the commit. Even if the corporation didn't want to inflict consequences on developers, it might have to abide by some certification process or insurance-related policies that enables other corporations to go after the developers.

It's a bit like the security provided by cameras. They don't help the victim being filmed. They might help punish a perpetuator, maybe. There's no guarantee that this increases overall security.

In all cases, as a developer, these signed commits are against my personal interest. Signing commits is a liability. It's in the interest of the employer, never in the interest of the employee.

As a user interested in code quality, I don't really care who committed the code. I'm interested in access control to the repository so that only the people I trust merge code they deem to be correct. If this kind of verification isn't possible, then I'm starting to see a use case for signed commits.

Assume that somebody sends me commits from a remote repository and I can't look at them for lack of time or lack of expertise. They claim to be somebody I trust, like a contributor I know, or a co-worker, and I need to decide whether to merge the commit. Now a signature for the commit they're trying to get me to add (and therefore all its ancestors) might make sense.

Signed commits