cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Will Stevens <wstev...@cloudops.com>
Subject Re: GPG signing commits on Github
Date Wed, 06 Apr 2016 14:04:25 GMT
I don't think it is quite this simple.  There would have to be a way for
the GPG key to be associated with a specific ASF identity and I don't think
that is in place at this time.  Also, there would have to be verification
that the person who is committing has a GPG key AND that they are a
committer in ASF and have an identity there.  I think there are more moving
parts here than meet the eye, but we can definitely continue the discussion
and see where it can lead.

*Will STEVENS*
Lead Developer

*CloudOps* *| *Cloud Solutions Experts
420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6
w cloudops.com *|* tw @CloudOps_

On Wed, Apr 6, 2016 at 5:00 AM, Wido den Hollander <wido@widodh.nl> wrote:

>
> > Op 6 april 2016 om 10:50 schreef Daan Hoogland <daan.hoogland@gmail.com
> >:
> >
> >
> > Good reading for the Wednesday morning;) yes I think we need to go there
> > and maybe even ask it of our contributors.
> >
>
> It might please the ASF since we can now prove who made the commit. If we
> ask
> all committers to upload their public key and sign their commits we can
> check
> this.
>
> For Pull Requests we can probably also add a hook/check which verifies if a
> signature is present.
>
> Wido
>
> > On Wed, Apr 6, 2016 at 9:28 AM, Wido den Hollander <wido@widodh.nl>
> wrote:
> >
> > > Hi,
> > >
> > > Github just added [0] support for verifying GPG signatures of Git
> commits
> > > to the
> > > web interface.
> > >
> > > Under the settings page [1] you can now add your public GPG key so
> Github
> > > can
> > > verify it.
> > >
> > > It's rather simple:
> > >
> > > $ gpg --armor --export wido@widodh.nl
> > >
> > > That gave me my public key which I could export.
> > >
> > > Git already supports signing [2] commits with your key.
> > >
> > > This makes me wonder, is this something we want to enforce? To me it
> seems
> > > like
> > > a good thing to have.
> > >
> > > Wido
> > >
> > > [0]: https://github.com/blog/2144-gpg-signature-verification
> > > [1]: https://github.com/settings/keys
> > > [2]: https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work
> > >
> >
> >
> >
> > --
> > Daan
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message