bug#22883: Trustable "guix pull"

[Leo Famulari]

On Tue, Apr 26, 2016 at 12:25:11AM +0200, Ludovic Courtès wrote:
> Hello!
> 
> Christopher Allan Webber <address@hidden> skribis:
> 
> > On top of that, even if you run from git proper what there isn't a test
> > about is: can you trust those latest commits?  Git doesn't really check,
> > at least by default.
> >
> >   https://mikegerwitz.com/papers/git-horror-story
> >
> > How about this: anyone with commit access should use "signed off by" and
> > gpg signatures combined.  We should keep some list of guix committers'
> > gpg keys.  No commit should be pushed to guix without a gpg signature.
> > At this point, at least, there is some possibility of auditing things.
> 
> To make progress on this front, I’ve decided to start signing all my
> commits, so:
> 
> --8<---------------cut here---------------start------------->8---
> $ git config commit.gpgsign
> true
> $ git config --global user.signingkey
> 090B11993D9AEBB5
> --8<---------------cut here---------------end--------------->8---
> 
> I invite everyone to do the same.  Hopefully, within a few weeks, we can
> add a commit hook to reject unsigned commits.

Okay.

> Note that we’ll be signing patches we push on behalf of contributors who
> do not have commit access (reviewer’s responsibility).
> 
> Also, rebasing, amending, and cherry-picking code signed by someone else
> would lose the original signature, which isn’t great and should be
> avoided, if possible.

I think it's common to make minor edits when committing on behalf of
others. For example, the committer might clean up a commit message or
standardize indentation.

How should we handle this?