This is a bit of frustration post. I’m not a professional and some stuff is super confusing. And it might not even be programming only, as this seems to be a general issue when it comes to signing and security in computers. Every time I have to reinstall my operating system (its really only a few times in a decade), one of the things i fear most is signing into Github, signing keys and setting up local git on my Linux machine. I want the verified badge. Every time its a fight in understanding and doing the right steps, creating gpg keys and access tokens and such.

Am I the only one who struggles with this? Right now I have set it up and my test repository has the badge again. Do people care about this? Especially people like me who does a few little CLI and scripts and nothing else. Am I doing enterprise level security for the sake of an icon or is this really more secure? I do not have ANY professional background. As said I seem to have setup correctly now, so this is not asking for troubleshooting. Just wanted hear about your opinion and experience, and if any of you care.

  • Flamekebab@piefed.social
    link
    fedilink
    English
    arrow-up
    3
    arrow-down
    3
    ·
    edit-2
    10 months ago

    It’s one of several reasons I moved to another platform. The amount of faff wasn’t worth it for the few projects I fiddle with.

    • Aatube@kbin.melroy.org
      link
      fedilink
      arrow-up
      4
      arrow-down
      2
      ·
      10 months ago

      this is a security thing, not a taft thing. you don’t need to sign commits to push them

      plus gitlab and sourcehut are so much better

      • Flamekebab@piefed.social
        link
        fedilink
        English
        arrow-up
        1
        ·
        10 months ago

        OP asked for:

        Just wanted hear about your opinion and experience, and if any of you care.

        I found the level of security required for basic functionality to be a hindrance. For small personal projects it felt like squashing a fly with a sledgehammer. A remote repo that is too much hassle to use is functionally the same as not using one.

        plus gitlab and sourcehut are so much better

        I think I’ll just edit out a mention of the platform I moved to. I wasn’t advocating for it. To be a bit more constructive - what makes those alternatives better?

        • Aatube@kbin.melroy.org
          link
          fedilink
          arrow-up
          3
          ·
          10 months ago

          Commit signing is not required for any functionality, unless you opt-in to some repository setting which you have to find for yourself first.

          These alternatives have vastly better UI that also layout the screen much more efficiently and have more features. I find it much easier to locate information on platforms that aren’t Forgejo/Codeberg. Sourcehut’s federation through email also just works.