And related, git-upstage.
I’d love to see PGP commit signing integrated with Github someday. In the meantime, we just have to understand that the online commit log is not a definitive history of the source, even if it has a picture of the “author” beside it.
Github does track who pushed a commit, but it’s not exposed conveniently.
In the meantime, we just have to understand that the online commit log is not a definitive history of the source, even if it has a picture of the “author” beside it.
Same about e-mail from famous people promising you millions and billboards signed “-God”.
You can PGP-sign tags, and then you’ll notice if anyone attempts to rewrite that history to do something like this afterwards. AIUI Torvalds considered reviewing tags better practice than signing each individual commit, and built the tool for that workflow.
I could see that working well in github workflow - sign a tag for every pull request. I can’t think of a repo I’ve worked on that has a ton of tags, though, might be a PITA (hmmm)
I once spoke to a functional purist who argued that we should avoid branches in git because they’re mutable. Want to propose a change? Push a tag. Want to update your proposal following feedback? Push a new tag.
Note that you don’t need an external tool to spoof someone – Git already makes it easy. Just set the AUTHOR_NAME and AUTHOR_EMAIL environment variables before running git commit or git commit --amend. Git-blame-someone-else just adds a convenient way to do this for an existing commit.
git commit --amend