A few days ago, someone accidentally committed with the wrong committer: $ git log --pretty=fuller --grep larry@gentoo.org commit 4923128a80b2a59ad47935cdf6dd8d13c4d5ab70 Author: Thiago Donato Ferreira <flowlnlnln@gmail.com> AuthorDate: Tue Nov 15 14:22:41 2022 -0300 Commit: Larry the Cow <larry@gentoo.org> CommitDate: Tue Nov 15 22:00:12 2022 +0100 games-action/prismlauncher: drop 5.0 Signed-off-by: Thiago Donato Ferreira <flowlnlnln@gmail.com> Closes: https://github.com/gentoo/gentoo/pull/28288 Signed-off-by: Larry the Cow <larry@gentoo.org> commit 738e102233faf498e1d3c06db700b92969804319 Author: Thiago Donato Ferreira <flowlnlnln@gmail.com> AuthorDate: Tue Nov 15 14:22:23 2022 -0300 Commit: Larry the Cow <larry@gentoo.org> CommitDate: Tue Nov 15 22:00:11 2022 +0100 games-action/prismlauncher: add 5.2 Signed-off-by: Thiago Donato Ferreira <flowlnlnln@gmail.com> Signed-off-by: Larry the Cow <larry@gentoo.org> $ git verify-commit 4923128a80b2a59ad47935cdf6dd8d13c4d5ab70 738e102233faf498e1d3c06db700b92969804319 gpg: Signature made Tue 15 Nov 2022 03:00:12 PM CST gpg: using RSA key DF355FAF68A43A684383AD23A2E2304370447E8E gpg: Good signature from "Andrew Ammerlaan <andrewammerlaan@gentoo.org>" [unknown] gpg: aka "Andrew Ammerlaan <andrewammerlaan@riseup.net>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. 06FF5341BD805DB0BC7D07A6A19F636CD4EDBCD1 DF355FAF68A43A684383AD23A2E2304370447E8E gpg: Signature made Tue 15 Nov 2022 03:00:11 PM CST gpg: using RSA key DF355FAF68A43A684383AD23A2E2304370447E8E gpg: Good signature from "Andrew Ammerlaan <andrewammerlaan@gentoo.org>" [unknown] gpg: aka "Andrew Ammerlaan <andrewammerlaan@riseup.net>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. 06FF5341BD805DB0BC7D07A6A19F636CD4EDBCD1 DF355FAF68A43A684383AD23A2E2304370447E8E So, this indicates a couple problems with our git hooks: - Should verify that committer is equal to one of the S-o-b identities - Should verify that this identity is one of the UIDs of the GPG signer, though this shouldn't be too strict given some people have things like "Gentoo key" in their UIDs - Should verify that this identity is that of someone who should be committing to $REPO (though this may very well be superfluous)