Gitlab now supports verification of commit signatures and it would be awesome if we start signing commits. It is a relatively painless process and happens automatically with little configuration.
Spoofing authors in git is quite easy, actually provided as a command line option (--author, --reset-author), and I believe it would be a good practice to sign all the commits (even outside of Mailman).
Here are steps for how you can do that:
Add your public key to Gitlab (https://gitlab.com/profile/gpg_keys)
-S (capital S)
Here is the relevant section of
.gitconfig to auto-sign every commit
you make (no need for step 2 if you do this):
[user] name = Abhilash Raj email = email@example.com signingkey = 541EA0448453394FF77A0ECC9D9B2BA061D0A67C [commit] gpgsign = true
Once you have pushed a signed commit to Gitlab and have uploaded your gpg public key, you will see a green "Verified" button alongside every commit. (See https://gitlab.com/maxking/mailman/commits/msapiro/mailman-pending)