[FFmpeg-devel] [PATCH v2] doc/git-howto.texi: Document commit signing

James Almer jamrial at gmail.com
Tue Aug 23 21:07:53 EEST 2022 

On 8/23/2022 3:00 PM, Michael Niedermayer wrote:
> On Wed, Aug 10, 2022 at 12:19:02AM +0200, Michael Niedermayer wrote:
>> On Tue, Aug 09, 2022 at 04:38:56PM -0300, James Almer wrote:
>>> On 8/9/2022 4:34 PM, Michael Niedermayer wrote:
>>>> From: Michael Niedermayer <michael-git at niedermayer.cc>
> [...]
>>
>>>
>>>> +github consider mismatches a reason to declare such commits unverified. After generating a key you
>>>> +can add it to the MAINTAINER file and upload it to a keyserver.
>>>
>>> Maybe link some external documentation about gpg keys, explaining the
>>> difference between public and private keys,
>>
>> what do you recommend ?
> 
> ping ?
> we could link to the gpg docs but that seems kind of silly

I have no recommendation.

> 
> 
>>
>>
>>> how to encrypt the private one
>>> with a passphrase, etc.
>>
>> Have you tried to generate a gpg key without a passphrase ?

I probably mixed it in my mind with ssh keys, where you can store a 
private key unencrypted.

>> I just tried, and failed, gpg keeps asking for a passphrase until you enter
>> one or kill it. It kept haunting me and asking for a passphrase even after
>> trying ctrl-c
>>
>>
>>> Sites like gitlab tell you to not attempt to upload private keys,
>>
>> ok
>>
>>
>>> so i
>>> imagine quite a lot of people have mistakenly done so in the past.
>>
>> imagine?

"Every sign has a story". If Gitlab tells you to make sure to not 
attempt to upload a private key, then it could be that it has happened 
at some point.

>>
>> but what do you suggest? we can document how someone can create a key
>> upload it and so on. You can provide me with a url that describes a
>> working documentation for that, i surely do not have one. alot of
>> documentations are somewhat bad. Many keyservers have died recently
>> some existing keys like DSA seem to have some affinity to SHA1, and
>> SHA1 is rejected today while at the same time still default on many
>> setups, the one documentation i saw today to fix that DSA/SHA1 issue
>> requires you to have a backup as it breaks your keys and is wrong.

If there's no good documentation or tutorial for this, then lets not 
bother with it. Your patch should be fine as is.

> 
> 
> 
> 
> [...]
> 
> 
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel at ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
> 
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request at ffmpeg.org with subject "unsubscribe".

More information about the ffmpeg-devel mailing list