Recommend using GPG signed commits vs. --signoff

[lance]

The --signoff flag for commits is not often used and is primarily a declaration that the committer has actually authored the code or has rights to submit code she has not written. Instead, I think it's better to use cryptographically signed commits which can also be enforced by GitHub (see protected branches in settings). Using GPG signatures on commits is generally a better way to ensure that a commit is coming from the person it appears to be coming from, vs. --signoff which is just a line of text at the bottom of a commit message. By using GPG signed commits, there is much more certainty that the commit is legitimate and coming from the person it appears to be coming from.

[helio-frota]

I agree with that 👍

[grant]

Yes please. I use GPG and have not seen any problems. It has been frustrating seeing commits fail for this project due to this requirement.

[lance]

Looking into this a bit further, the --signoff requirement is from the need for CNCF to enforce a commit's "Developer Certificate of Origin". I discussed this with @duglin in Slack. That conversation is pasted below.

I think this issue should be closed, but will leave it open for a bit so folks can catch up.

--

Lance Ball 12:27 PM
@dug in the JS SDK, we have an issue open to discuss using GPG signed commits vs. --signoff . But I took at the commit logs for all of the other repos in the cloudevents org and it seems they all require --signoff commits. Is this a CNCF requirement or is it just convention... or something else?

1 reply
Today at 12:27 PMView thread

dug 12:28 PM
let me check on broad the requirement is... but DCO is the one we use
12:28
and --signoff is basically DCO

Lance Ball 12:28 PM
yeah

dug 12:31 PM
I don't think I've been involved in any project that requires GPG since I've never done that before 🙂

Lance Ball 12:34 PM
In GH repository branch protection settings you can check a box to require it. As a committer, once you configure it in git, it just happens - all commits are signed and you get the green Verified box for your commits in the commit log on GitHub.

dug 12:37 PM
is this really a problem for our SDKs? or is this more just a preventative thing? I would be nervous about raising the bar for a new committer - people already have trouble with git as it is. I would probably feel differently if k8s, kn, docker.... used GPG but, as I said, I've never seen the requirement
12:40
Another question... as I understand it, GPG is just about auth not about DCO, correct?

Lance Ball 12:41 PM
I think it came more from the fact that --signoff was a problem and I didn't want to suggest that we eliminate that without an alternative
12:42
definitely GPG is about auth and not DCO

dug 12:42 PM
why is --signoff a problem? Don't we need that if DCO is our CLA-thingy?
12:42
if anything I would think people who like GPG should be suggesting both, not just GPG

Lance Ball 12:42 PM
It's not a huge problem once you get used to it. But the first couple of PRs most people submit don't have signoff commits and have to fix it

dug 12:43 PM
yup - I can see that. But we need some kind of DCO/CLA process so it kind of feels like there are two threads being mixed up here

Lance Ball 12:43 PM
I'm fine not making this change. Really wanted to understand if the DCO requirement was coming from CNCF and if so, we'll probably just close this issue
12:43
(but I'm going to copy/paste this discussion to the issue)

dug 12:46 PM
so, I just checked and I'm told that the CNCF requires some kind of process - each project can choose DCO vs CLA vs ... but "no process" is not a valid choice. So, GPG vs --signoff are indeed separate topics

Lance Ball 12:46 PM
Understood - thanks for the clarification. I'll note all of this in the issue.

[lance]

Closing this issue since it seems at best we could add GPG signed commits as a requirement and I'm not sure I want to do that.