@@ -23,6 +23,38 @@ at the same time, we might really want X but disagree with Y, meaning we
2323cannot merge the request. Using the Git-Flow branching model you can create
2424new branches for both of these features and send two requests.
2525
26+ Why Signing Is Important
27+ =======================
28+
29+ We ask that contributions have code commits signed. This is important in order
30+ to prove, as best we can, the provenance of contributions.
31+
32+ The developer pushing a commit as part of a PR isn't necessarily the person
33+ who committed it originally, if the commit is not signed. This distorts the
34+ commit history and makes it hard to tell where code came from.
35+
36+ If a person "signs" a commit, they are free to use any name, specifically
37+ one not their own. Again, the commit history cannot be relied on to determine
38+ the origin of the code, if one developer is spoofing another. A malicious person
39+ could commit bad code (for instance a virus) and make it look like another
40+ developer created it.
41+
42+ The best solution, while not fool-proof, is to "securely sign" your
43+ commits. Such commits are digitally signed, with a GPG-key, and
44+ associated with your github account. It still isn't foolproof, because
45+ a malicious developer could create a bogus email and account, but it is
46+ more reliable than an unsigned or a "signed" commit.
47+
48+ If you don't sign your commits, we **may ** accept your contribution,
49+ assuming it meets usefulness and contribution guidelines, but only
50+ if it isn't critical code and only after checking it carefully.
51+ If code performs an important role, we will insist that it be signed, and if
52+ it is critical code (however we interpret that), we will insist that your
53+ contributions be securely signed.
54+
55+ Read below to find out how to sign your commits :)
56+
57+
2658Basic Signing
2759=============
2860You must sign your work, certifying that you either wrote the work or
0 commit comments