[Python-Dev] python-checkins

Barry Warsaw barry at python.org
Tue Jul 13 22:10:04 CEST 2010


On Jul 13, 2010, at 09:56 PM, Éric Araujo wrote:

>Note that nothing in Mercurial forces you to have a parsable
>“Name <email>” user name, it’s just a good practice. Dirkjan’s mapping
>uses a dummy tools at python.org address for unknown IDs, which probably
>means the other tools he’s writing depend on an email address. That
>would need to be in the dev policy.

Bazaar has a facility for digitally signing commits, which I always enable.
While this is a local configuration, some projects I contribute to have merge
hooks which check the digital signatures and refuse the push if the revisions
are not signed with a known gpg key.

Does Mercurial have a similar feature?  If so, I would suggest that we enable
that and require committers to use registered gpg keys to sign their commits.
We'd always have a verifiable chain back to a responsible party, and
committers would be responsible for any changes or patches they merge on
behalf of others.  IME the overhead is pretty trivial, but then I'm quite
comfortable with gpg concepts and tools.

-Barry
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://mail.python.org/pipermail/python-dev/attachments/20100713/a8109dc7/attachment.pgp>


More information about the Python-Dev mailing list