> the resulting merge commit will contain a copy of my GPG signature from the git tag.
Ah, I see. Thank you for the clarification.
It was not overall integrity of the trees that I was bringing into question. While the code review process may be a problem for certain organizations, I am not doubting that process for the kernel. With such a process in place, signed tags are likely to be sufficient, yes.
Note, however, that one of the points I was trying to make with the article was proof of authorship (to prevent someone from committing as you, much the same way as you would want to prevent someone from fraudulently sending an e-mail or message through any other means). It is for this reason that the workflow you described is not a complete alternative, but would be an excellent means of augmenting the review process for any project.
That said, author identity is not a concern for most projects, in which case, based on the quoted portion of your comment above, my arguments do not necessarily apply (assuming that all commits that are not yet ancestors of a tag are ancestors of a signed merge, as mentioned in your comment).
Might I ask how the maintainers deal with issues of identity? If they encounter a commit in your pull request that appears to be from a well-known contributor, do they verify his/her identity before merging, or do they not care?
We do have a ring of trust which we established recently, which is rooted in cross-signed keys belonging to Linus Torvalds, Dirk Hohndel, Peter Anvin, and myself. We all know each other quite well, both in person and via conference calls, so that was easy to set up after the kernel.org security breach. All keys in the key ring is signed by at least two, and preferably more, other trusted keys, all leading up to the root keys.
But that's only important from the perspective of knowing that a particular public key belongs to a person, which in turn is only really important when a maintainer wants to know whether or not the person who signed the git tag really is the submaintainer who is claiming to have signed the git tag.
Most of the time, we don't really worry about identity; what we worry about is the correctness of the commit. Especially for patches being sent via e-mail, I really couldn't care less whether the identity of the person sending the e-mail was Christoph Hellwig, or his evil twin. I'm still going to review the patch very carefully, because we all make mistakes. That's my job as the maintainer; to ultimately be a crap filter, and to reject crap, no matter whether it's written by someone famous or some nobody.
So when I send a pull request to my upstream maintainer (which in the case of ext4 is Linus), he really doesn't care about the identities of the authors in my pull request, because it is my reputation which is on the line; I'm the one who signed the git tag pointed to by the pull request. Just if it gets by me, and then it gets by Linus, it's ultimately Linus's reputation which is on the line.
So that's why your question is a bit ill-formed. Someone who is above me in the maintainership hierarchy isn't really going to care much about the identities of those who are below me in the maintainership hierarchy. The trust relationship is fundamentally between me and Linus, and then I have trust relationships between me and those developers below me. So Linus doesn't care about the identities of those which are two levels below him in the maintainership hierarchy, so long as he trusts me to have done my job properly. Of course, if Linus discovered that I had been blindly accepting pull requests from my downstream without doing proper quality control, then he'll yell at me and he might refuse to take future pull request from me (or at least threaten to do so). But normally, there's no need for him to verify the identity of the authors of commits in my pull request; he only needs to verify me, and to verify that he trusts my technical judgement and quality control checks and processes. If decides he doesn't trust me or my technical judgement then he won't accept pull requests from me; and in that case he would be absolutely right to do so.
Ah, I see. Thank you for the clarification.
It was not overall integrity of the trees that I was bringing into question. While the code review process may be a problem for certain organizations, I am not doubting that process for the kernel. With such a process in place, signed tags are likely to be sufficient, yes.
Note, however, that one of the points I was trying to make with the article was proof of authorship (to prevent someone from committing as you, much the same way as you would want to prevent someone from fraudulently sending an e-mail or message through any other means). It is for this reason that the workflow you described is not a complete alternative, but would be an excellent means of augmenting the review process for any project.
That said, author identity is not a concern for most projects, in which case, based on the quoted portion of your comment above, my arguments do not necessarily apply (assuming that all commits that are not yet ancestors of a tag are ancestors of a signed merge, as mentioned in your comment).
Might I ask how the maintainers deal with issues of identity? If they encounter a commit in your pull request that appears to be from a well-known contributor, do they verify his/her identity before merging, or do they not care?