> Production branches should be identified and configured:<p>> ...<p>> Require all commits to be GPG signed, using keys known in advance.<p>Is it possible to configure "all commits gpg signed" on Github? I haven't seen this option.<p>Another interesting thing that Github lacks is signed git pushes (`gpg push --signed`) that allows audit logging who moved which object to which ref.
It is a shame that a lot of critical projects (including compilers, browsers...) still try to do things a la CVS/SVN (even if they use a DVCS).<p>Please, stop it. Do it the way the kernel does it. A hierarchy of maintainers that reviews the work sent by others and a single person with commit access to the main repository.<p>I am amazed that these smart people have not realizead yet that unrestricted commit access is simpy a no-go, with or without signed commits/tags.