Why we should consider verified commits

[zstix]

Description

This PR is a proof of concept: DO NOT MERGE.

At the moment, we don't enforce verification that whose who author a commit are actually who they say they are. For example, this PR has 4 commits:

• 19da220 in which I "impersonated" @austin-schaefer
• 1b6d5da in which I "impersonated" @jpvajda
• fbee8bd in which I "impersonated" @roadlittledawn
• 4e00bad in which I committed, with a verification, that I was truly the author

The last commit was achieved by generating and adding a GPG key to my account and setting my git client to use that key. No one but me can have a "verified" commit.

I believe this can easily be done in Github Desktop as well.

I suggest that we consider asking core contributors to set it up. Here is some additional information about "verified" commits, including a new feature called "vigilant mode", where you're required to sign your commits.

Related Screenshot(s)

[zstix]

Oh, I should have included an explanation of how I did this. The following two commands can be used to set "your" name and email:

git config user.name "Someone Else"
git config user.email "their-email-or-gh-address"

[gatsby-cloud]

Gatsby Cloud Build Report

docs-website-develop

🎉 Your build was successful! See the Deploy preview here.

Build Details

View the build logs here.

🕐 Build time: 44m

[zstix]

I just enabled "Vigilant Mode" on my Github account. Here's a screenshot of a PR I have open (in the developer site repo) that has some verified and some unverified commits:

[austin-schaefer]

Hi @zstix , cleaning out the board a bit and ran across this one. We're still tracking the docs work on this in DOC-7463 though and it's on our radar.