You have to be able to push commits other people have made. E.g. if you work together in a different repo and then publish the result to github, one person pushes all the commits.
Maybe GitHub should indicate more precisely who pushed the commit, but on the other hand that's often unnecessary noise as well.
If you want to be able to trust the data in a commit, it has to be signed (which nearly nobody does, and AFAIK GitHub doesn't display)
> You have to be able to push commits other people have made. If you work together in a different repo and then publish the result to github, one person pushes all the commits.
I completely missed that use case. Thanks for the explanation!
You're right in that no one signs commits (unfortunately, including myself).
Signing commits bumps the size of the repo substantially. Not to mention that you then have to maintain your WoT connection in order to make sure people can verify that your key is actually yours (although you can use keybase for that).
Maybe GitHub should indicate more precisely who pushed the commit, but on the other hand that's often unnecessary noise as well.
If you want to be able to trust the data in a commit, it has to be signed (which nearly nobody does, and AFAIK GitHub doesn't display)