Who signs all their commits? Joey Hess maybe? There are certainly others. But I’ve never seen anyone make a case for this. In fact only negative cases since it just encourages you to automate your signing process, which many are not comfortable with.[1]

I’m not important enough to sign anything.

On Bitbucket we push the big merge button and out comes a commit with the correct person attributed to it.[2] Even Atlassian manages to do this the correct way.

> For the latter, you are free to send your own private key to your codespace so you can sign your own commits but

Yeah GPG/SSH sign commits... who cares. Most people don’t.

> Defaults matter and signed commits are important.

I don’t care about your opinion.

I wouldn’t mind if this was an option that I could opt out of. (I’m wondering out loud, not asking you or anyone else.) I just haven’t heard of it yet.

I’m a Git user after all so I’m used to changing bad defaults.

> As a sibling notes, this use case and similar ones is the reason the committer field exists as distinct from the author field.

Quite a leap to go from attributing emailed-around patches to the correct author while also maintaining the committer (like the maintainer) to what looks equivalent to Norton Antivirus junk output stuffed 40 lines into someone’s email signature.

> I think a $10K bounty for this bug speaks to how seriously they stand behind the fact that they will only sign and mark as verified commits whose author field matches an authenticated user.

“I think the price they put on this SPOOFING vulnerability speaks to how serious they are about verified commits”, they said without irony.

“Sent from my GitHub”, ah they all felt at-ease immediately... wait the same platform that had a spoofing vulnerability?

[1] Well, allegedly. I have never signed anything so I don’t know.

[2] They committed it too. Or wait. Was that the merge button?