gpg decision: provide context around Github check

2025-01-23 16:01:15 +00:00 · 2018-02-19 11:00:11 +01:00 · 2018-02-19 11:00:11 +01:00 · 796b034486
commit 796b034486
parent a8623c4154
1 changed files with 9 additions and 1 deletions
--- a/doc/decisions/0002-sign-commits-with-gpg.md
+++ b/doc/decisions/0002-sign-commits-with-gpg.md
@ -17,6 +17,11 @@ Naturally security is a concern that should be taken into consideration.
 Currently an attacker might get access to an account of a team member
 and pose as that developer, merging PRs and pushing changes.

+Status.im as a company is also encouraging the use of GPG signing and
+has a Pull Request check in place on Github. This check will mark PRs
+as failing if the commits come from an organization member and have not
+been GPG-signed.
+
 ## Decision

 In order to verify that commits in the repository are actually authored by the specified
@ -29,6 +34,9 @@ It also introduces some complexity because contributors who want to sign
 their commits need to set up the appropriate tooling. Due to that we will
 not require outside contributors to sign their commits for now.

+Adopting GPG signing for contributors will also make our PR checks pass
+allowing us to more easily discern actually broken and working PRs.
+
 ## Consequences

 GPG signing is only making things safer if we have a trusted way of
@ -41,4 +49,4 @@ and we'll have to wait to see what comes out of that.
 ## Appendix

 - [GitHub's instructions for setting up GPG signing](https://help.github.com/articles/signing-commits-using-gpg/)
- More discussion around the usefulness of GPG signing in [issue #285](https://github.com/status-im/open-bounty/issues/285)
+- More discussion around the usefulness of GPG signing in [issue #285](https://github.com/status-im/open-bounty/issues/285)