On Wed, Sep 14, 2022 at 1:31 PM Richard Biener <richard.guenther@gmail.com>
wrote:

> How does this improve supply chain security if the signing happens
> automagically rather than manually at points somebody actually
> did extra verification?


It works only automatically if you have ssh-agent (and/or gpg-agent)
running.  I assume that's what developers do anyway because that's how they
like push changes to sourceware.  If you don't have an agent you'll have to
provide the signature of the signing key at the time of the commit.


What's the extra space requirement if every commit is signed?  I suspect
> the signatures themselves do not compress well.
>

The signatures are probably implemented as signed hashes of some sort.  So,
perhaps an additional SHA256 block plus infrastructure to determine the key
used etc.  I doubt that this is really measurable with today's disks and
servers and network connections.