Also, this reminded me a long-standing todo of adding gpg code signing to all my dev environments and I did it now together with vigilant mode as mentioned elsewhere.
I also just turned on vigilant mode. I'd still like to see a more aggressive "if it ain't signed, it ain't mine" checkbox though. I'll sign everything that isn't a non-trivial change and, if I don't, I often even re-commit on my desktop later on so the commit gets its signature.
I suspect it is complicated to do for edge cases though. Let's say you contributed unsigned and with your email 10 years ago in som git repo currently not on github, and then it is imported now. Then the import would fail and the owner of the repo would not be able to fix it without breaking everyone elses commits
The import doesn't need to fail, it just needs to communicate clearly that the contributor isn't confirmed; maybe by leaving the username greyed out with an "unconfirmed" warning right next to it.
My point is, when I enable vigilant mode, I don't want to show up in any contributor list unless at least one commit on that repository is signed, or at least only appear greyed out or something.
Also, this reminded me a long-standing todo of adding gpg code signing to all my dev environments and I did it now together with vigilant mode as mentioned elsewhere.
I also just turned on vigilant mode. I'd still like to see a more aggressive "if it ain't signed, it ain't mine" checkbox though. I'll sign everything that isn't a non-trivial change and, if I don't, I often even re-commit on my desktop later on so the commit gets its signature.
I suspect it is complicated to do for edge cases though. Let's say you contributed unsigned and with your email 10 years ago in som git repo currently not on github, and then it is imported now. Then the import would fail and the owner of the repo would not be able to fix it without breaking everyone elses commits
The import doesn't need to fail, it just needs to communicate clearly that the contributor isn't confirmed; maybe by leaving the username greyed out with an "unconfirmed" warning right next to it.
But then it is basically the same as today, except for the greying out?
Does it already mark unverified contributors? I've never seen that happen on github.
Because very few enable vigilant mode I guess. Here is one made by me before I started signing my commits
My point is, when I enable vigilant mode, I don't want to show up in any contributor list unless at least one commit on that repository is signed, or at least only appear greyed out or something.
Of course, agreed
how do you turn on
vigilant mode
I cannot find it.worked it out