cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rafael Weingärtner <rafaelweingart...@gmail.com>
Subject Re: GPG signing commits on Github
Date Wed, 06 Apr 2016 15:41:15 GMT
Ah, ok
I had forgotten that, my bad.

On Wed, Apr 6, 2016 at 12:39 PM, Daan Hoogland <daan.hoogland@gmail.com>
wrote:

> On Wed, Apr 6, 2016 at 5:37 PM, Rafael Weingärtner <
> rafaelweingartner@gmail.com> wrote:
>
>> Sorry, but I did not understand. We do not have commit access to Github,
>> right?
>>
> ​I think we are talking about the new to be cloudstack organisation, right
> @Will?
>
> ​
>
>
>>
>> On Wed, Apr 6, 2016 at 12:35 PM, Daan Hoogland <daan.hoogland@gmail.com>
>> wrote:
>>
>>> hm, no ;) We can control access to the organisation right? so we can
>>> close it for committers that don't have a valid key. We just need to think
>>> of a procedure for checking and registration.
>>>
>>> On Wed, Apr 6, 2016 at 5:33 PM, Will Stevens <wstevens@cloudops.com>
>>> wrote:
>>>
>>>> Yes, I agree with both of you.  Maybe I am not being clear.  My point is
>>>> only that we can't allow commit access on Github because then we can not
>>>> limit it to only valid committers who COULD commit.  Is that clearer?
>>>>
>>>> *Will STEVENS*
>>>> Lead Developer
>>>>
>>>> *CloudOps* *| *Cloud Solutions Experts
>>>> 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6
>>>> w cloudops.com *|* tw @CloudOps_
>>>>
>>>> On Wed, Apr 6, 2016 at 11:07 AM, Rafael Weingärtner <
>>>> rafaelweingartner@gmail.com> wrote:
>>>>
>>>> > I agree with Daan.
>>>> >
>>>> > On Wed, Apr 6, 2016 at 11:42 AM, Daan Hoogland <
>>>> daan.hoogland@gmail.com>
>>>> > wrote:
>>>> >
>>>> >> Will, we only need to be sure about the key's of committers. Only
>>>> merge
>>>> >> commits we need to be sure of the signature and the merger needs
to
>>>> be
>>>> >> verify the code. He can not assure that the origin of the code is
>>>> >> authentic
>>>> >> but he can at least assure that the code is unchanged since
>>>> contribution
>>>> >> when it is signed. I don't think we need more.
>>>> >>
>>>> >> On Wed, Apr 6, 2016 at 4:33 PM, Will Stevens <wstevens@cloudops.com>
>>>> >> wrote:
>>>> >>
>>>> >> > Ok, that is half.  But how do we verify that a Github user
has a
>>>> GPG key
>>>> >> > that is matching what is registered in the ASF?  Just because
you
>>>> have a
>>>> >> > GPG key does not mean you are an ASF committer, so the check
would
>>>> have
>>>> >> to
>>>> >> > be made to verify the GPG is registered to an ASF committer
before
>>>> they
>>>> >> > would be allowed to actually commit via Github.  How would
this be
>>>> >> resolved?
>>>> >> >
>>>> >> > *Will STEVENS*
>>>> >> > Lead Developer
>>>> >> >
>>>> >> > *CloudOps* *| *Cloud Solutions Experts
>>>> >> > 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6
>>>> >> > w cloudops.com *|* tw @CloudOps_
>>>> >> >
>>>> >> > On Wed, Apr 6, 2016 at 10:09 AM, Rafael Weingärtner <
>>>> >> > rafaelweingartner@gmail.com> wrote:
>>>> >> >
>>>> >> >> There is a way to do that. When you become a committer,
you can
>>>> >> register a
>>>> >> >> key at [1], then that key (public key) is loaded to [2].
The key
>>>> is
>>>> >> >> associated with the committer’s login. For instance,
this is my
>>>> public
>>>> >> key
>>>> >> >> [3].
>>>> >> >>
>>>> >> >> [1] id.apache.org
>>>> >> >> [2] https://people.apache.org/keys/committer/
>>>> >> >> [3] https://people.apache.org/keys/committer/rafael.asc
>>>> >> >>
>>>> >> >>
>>>> >> >> On Wed, Apr 6, 2016 at 11:04 AM, Will Stevens <
>>>> wstevens@cloudops.com>
>>>> >> >> wrote:
>>>> >> >>
>>>> >> >> > I don't think it is quite this simple.  There would
have to be
>>>> a way
>>>> >> for
>>>> >> >> > the GPG key to be associated with a specific ASF identity
and I
>>>> don't
>>>> >> >> think
>>>> >> >> > that is in place at this time.  Also, there would
have to be
>>>> >> >> verification
>>>> >> >> > that the person who is committing has a GPG key AND
that they
>>>> are a
>>>> >> >> > committer in ASF and have an identity there.  I think
there are
>>>> more
>>>> >> >> moving
>>>> >> >> > parts here than meet the eye, but we can definitely
continue the
>>>> >> >> discussion
>>>> >> >> > and see where it can lead.
>>>> >> >> >
>>>> >> >> > *Will STEVENS*
>>>> >> >> > Lead Developer
>>>> >> >> >
>>>> >> >> > *CloudOps* *| *Cloud Solutions Experts
>>>> >> >> > 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6
>>>> >> >> > w cloudops.com *|* tw @CloudOps_
>>>> >> >> >
>>>> >> >> > On Wed, Apr 6, 2016 at 5:00 AM, Wido den Hollander
<
>>>> wido@widodh.nl>
>>>> >> >> wrote:
>>>> >> >> >
>>>> >> >> > >
>>>> >> >> > > > Op 6 april 2016 om 10:50 schreef Daan Hoogland
<
>>>> >> >> > daan.hoogland@gmail.com
>>>> >> >> > > >:
>>>> >> >> > > >
>>>> >> >> > > >
>>>> >> >> > > > Good reading for the Wednesday morning;)
yes I think we
>>>> need to
>>>> >> go
>>>> >> >> > there
>>>> >> >> > > > and maybe even ask it of our contributors.
>>>> >> >> > > >
>>>> >> >> > >
>>>> >> >> > > It might please the ASF since we can now prove
who made the
>>>> commit.
>>>> >> >> If we
>>>> >> >> > > ask
>>>> >> >> > > all committers to upload their public key and
sign their
>>>> commits we
>>>> >> >> can
>>>> >> >> > > check
>>>> >> >> > > this.
>>>> >> >> > >
>>>> >> >> > > For Pull Requests we can probably also add a
hook/check which
>>>> >> verifies
>>>> >> >> > if a
>>>> >> >> > > signature is present.
>>>> >> >> > >
>>>> >> >> > > Wido
>>>> >> >> > >
>>>> >> >> > > > On Wed, Apr 6, 2016 at 9:28 AM, Wido den
Hollander <
>>>> >> wido@widodh.nl>
>>>> >> >> > > wrote:
>>>> >> >> > > >
>>>> >> >> > > > > Hi,
>>>> >> >> > > > >
>>>> >> >> > > > > Github just added [0] support for verifying
GPG
>>>> signatures of
>>>> >> Git
>>>> >> >> > > commits
>>>> >> >> > > > > to the
>>>> >> >> > > > > web interface.
>>>> >> >> > > > >
>>>> >> >> > > > > Under the settings page [1] you can
now add your public
>>>> GPG
>>>> >> key so
>>>> >> >> > > Github
>>>> >> >> > > > > can
>>>> >> >> > > > > verify it.
>>>> >> >> > > > >
>>>> >> >> > > > > It's rather simple:
>>>> >> >> > > > >
>>>> >> >> > > > > $ gpg --armor --export wido@widodh.nl
>>>> >> >> > > > >
>>>> >> >> > > > > That gave me my public key which I
could export.
>>>> >> >> > > > >
>>>> >> >> > > > > Git already supports signing [2] commits
with your key.
>>>> >> >> > > > >
>>>> >> >> > > > > This makes me wonder, is this something
we want to
>>>> enforce? To
>>>> >> me
>>>> >> >> it
>>>> >> >> > > seems
>>>> >> >> > > > > like
>>>> >> >> > > > > a good thing to have.
>>>> >> >> > > > >
>>>> >> >> > > > > Wido
>>>> >> >> > > > >
>>>> >> >> > > > > [0]:
>>>> https://github.com/blog/2144-gpg-signature-verification
>>>> >> >> > > > > [1]: https://github.com/settings/keys
>>>> >> >> > > > > [2]:
>>>> >> https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work
>>>> >> >> > > > >
>>>> >> >> > > >
>>>> >> >> > > >
>>>> >> >> > > >
>>>> >> >> > > > --
>>>> >> >> > > > Daan
>>>> >> >> > >
>>>> >> >> >
>>>> >> >>
>>>> >> >>
>>>> >> >>
>>>> >> >> --
>>>> >> >> Rafael Weingärtner
>>>> >> >>
>>>> >> >
>>>> >> >
>>>> >>
>>>> >>
>>>> >> --
>>>> >> Daan
>>>> >>
>>>> >
>>>> >
>>>> >
>>>> > --
>>>> > Rafael Weingärtner
>>>> >
>>>>
>>>
>>>
>>>
>>> --
>>> Daan
>>>
>>
>>
>>
>> --
>> Rafael Weingärtner
>>
>
>
>
> --
> Daan
>



-- 
Rafael Weingärtner

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message