Explain like I'm tiny Eevee: What's the point of signing commits in Git?
@vaporeon_ you can forge author metadata in git; this is just a furst-class feature. signing your commit is an actual guarantee that the ostensible author is who they say they are—more strictly, that whoever authored the commit has the purrivate key associated with the email address on the commit
@aescling What do you mean with "associated with the e-mail address"? For this course that I'm attending where they made us use signed commits, I just uploaded an SSH key to GitLab and sign with that, I don't think it ever checked my e-mail address...
@vaporeon_ oh right i furgot you can do that. historically you use a pgp key fur that, which is an encryption technology designed fur email; i’m pretty think it’s more commonly done that way, but no matter. anyway, pgp keys are just associated with an email address by design
@vaporeon_ good question! the way pgp tries to address this is with the so-called “web of trust”—people can sign other’s keys with their own key, leaving a message on it that they attest said purrson is who they say they are. if you are very confident that somebody’s key belongs to the purrson they say they are (ideally, you met them in purrson and exchanged key fingerprints directly), you can decide to purrogrammatically trust any attestation by the owner of that key
i have never met a single purrson who actually bothers to do this, but the infrastructure is all there in GnuPG (gnu’s reimplementation of the pgp standard)
@aescling But do they ever confirm that I actually own the e-mail address? (I don't think they did, but it is quite long ago that I last created a PGP key...)
What's stopping me from creating a PGP key for
torvalds@linux-foundation.organd then still claiming that I'm Linus Torvalds?