Except that the commit history is actually important when auditing a security-sensitive project.
After reading the guidelines for the Linux kernel I've always given full and proper commit descriptions for effectively all of my commits (with exceptions for projects which don't matter, and such messages aren't going to be read by anyone -- including me). I really wish more people did this, because it makes bisecting, backporting and otherwise spelunking projects much easier.
To put it in your analogy, it wouldn't be fair to judge a programmer by their handwriting. But it might be fair to judge a secretary by their handwriting (you'd be annoyed if your secretary didn't write down important details, or wrote them in a way that nobody could read them).
It's not really true to say that the commit history of a project is an important aspect in regards to security. Whether it's security-sensitive or not, a project has either been audited or it hasn't. And an audit doesn't rely on commit messages.
Yes, but usually audits are of a single snapshot in the repo's history. Understanding why a change was made is quite important, especially if someone touched security-sensitive code.
After reading the guidelines for the Linux kernel I've always given full and proper commit descriptions for effectively all of my commits (with exceptions for projects which don't matter, and such messages aren't going to be read by anyone -- including me). I really wish more people did this, because it makes bisecting, backporting and otherwise spelunking projects much easier.
To put it in your analogy, it wouldn't be fair to judge a programmer by their handwriting. But it might be fair to judge a secretary by their handwriting (you'd be annoyed if your secretary didn't write down important details, or wrote them in a way that nobody could read them).