[QGIS-Developer] Requiring signed commits?

Even Rouault even.rouault at spatialys.com
Thu Jun 18 17:10:55 PDT 2026


Nyall,

I've some doubts at what you're talking about exactly, given that 
looking at https://github.com/qgis/QGIS/commits/master/ , your own 
commits don't appear to be signed ;-)  Is that commits signed with a GPG 
key 
(https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits) 
that appear with the "Verified" green label ?  Browsing recent commit 
history, it seems only a minority of devs have that set up currently, so 
we should allow for some grace period. I don't think that would be an 
obstacle for regular contributors, but that might be more problematic 
for drive-by contributors.  I'm not aware of other projects in our close 
surroundings that mandate that currently.

Do you have particular reasons for that ? To prevent identity theft?

Even

Le 19/06/2026 à 01:44, Nyall Dawson via QGIS-Developer a écrit :
> Hi list,
>
> Does anyone have any issues if I turn on this branch protection 
> setting? Is there ANY valid reason someone isn't using signed commits 
> today?
>
> Nyall
>
> _______________________________________________
> QGIS-Developer mailing list
> QGIS-Developer at lists.osgeo.org
> List info:https://lists.osgeo.org/mailman/listinfo/qgis-developer
> Unsubscribe:https://lists.osgeo.org/mailman/listinfo/qgis-developer

-- 
http://www.spatialys.com
My software is free, but my time generally not.
Middle finger at you AI companies whose bots are destroying the remains of the open Internet
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/qgis-developer/attachments/20260619/4726a7a9/attachment.htm>


More information about the QGIS-Developer mailing list