[QGIS-Developer] Requiring signed commits?

Nyall Dawson nyall.dawson at gmail.com
Wed Jun 24 22:59:48 PDT 2026


On Fri, 19 Jun 2026 at 10:10, Even Rouault <even.rouault at spatialys.com>
wrote:
>
> Nyall,
>
> I've some doubts at what you're talking about exactly, given that looking
at https://github.com/qgis/QGIS/commits/master/ , your own commits don't
appear to be signed ;-)

Heh... I definitely did set this up once[1]... guess I forgot to do it
again when reconfiguring things at one stage.

> Is that commits signed with a GPG key (
https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits)
that appear with the "Verified" green label ?  Browsing recent commit
history, it seems only a minority of devs have that set up currently, so we
should allow for some grace period. I don't think that would be an obstacle
for regular contributors, but that might be more problematic for drive-by
contributors.  I'm not aware of other projects in our close surroundings
that mandate that currently.
> Do you have particular reasons for that ? To prevent identity theft?

Basically to start locking down our repo. I think it's a relatively small
step that would help establish more trust in our development process,
especially by big business.

Nyall

[1] From back when that guy was promising to make us all rich by converting
signed github commits into some crypto coin 🤣

>
>
> Even
>
> Le 19/06/2026 à 01:44, Nyall Dawson via QGIS-Developer a écrit :
>
> Hi list,
>
> Does anyone have any issues if I turn on this branch protection setting?
Is there ANY valid reason someone isn't using signed commits today?
>
> Nyall
>
> _______________________________________________
> QGIS-Developer mailing list
> QGIS-Developer at lists.osgeo.org
> List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
> Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer
>
> --
> http://www.spatialys.com
> My software is free, but my time generally not.
> Middle finger at you AI companies whose bots are destroying the remains
of the open Internet
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/qgis-developer/attachments/20260625/7d55c404/attachment.htm>


More information about the QGIS-Developer mailing list