[go: up one dir, main page]
Skip to content

Better discovery for signed commits

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Signed commits are currently badged with a “Verified” button on the file browser and commit views:

When browsing a repository:

Screenshot 2023-05-15 at 3.19.53 PM.png

When viewing a commit:

Screenshot 2023-05-15 at 3.20.31 PM.png

This is functional but could be made more useful and discoverable:

  • In neither view is it obvious what is verified since what's being verified isn't the pipeline status (the closest file browsing view control) or the commit ID (the closest control on the commit view) but authorship, which suggests it should either be combined with the author display or use more precise text like “Verified Author”
  • In the file browse view, it's not interactive in any way. In the commit list or detail views, you can click on it to get an informative popup which tells you exactly what it means which is great, except that there's no indication that it's clickable and it doesn't even have a hover state. At some point after the page loads entirely it will gain a cursor state but that requires loading something like a megabyte of CSS in addition to the page JavaScript. Over our VPN connection, that meant that there was approximately a 10 second delay while that control appeared to be fully rendered but was missing the pointer effect.

Given how signed commits are getting more attention as everyone worries about supply-chain security, here's what I would propose:

  1. Make the click behaviour consistent across all views so everywhere you see it you can see the key which was verified.
  2. Make the display more obviously interactive, such as making it look more like a button.
  3. Try to make the buttons part of the author display so it's more visually clear what was verified. The obvious thing to try would be some kind of checkmark badge but I would worry that this would be confused as GitLab having verified the author's real-world identity.
  4. Consider a small form badge which would be suitable for use on the git blame view. If I'm reviewing code, it can be interesting to know which lines were part of unverified changes.
  5. Try to optimize the CSS structure so the display:pointer rule is loaded with less delay.
Edited by 🤖 GitLab Bot 🤖