cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daan Hoogland <daan.hoogl...@gmail.com>
Subject Re: GPG signing commits on Github
Date Wed, 06 Apr 2016 15:35:48 GMT
hm, no ;) We can control access to the organisation right? so we can close
it for committers that don't have a valid key. We just need to think of a
procedure for checking and registration.

On Wed, Apr 6, 2016 at 5:33 PM, Will Stevens <wstevens@cloudops.com> wrote:

> Yes, I agree with both of you.  Maybe I am not being clear.  My point is
> only that we can't allow commit access on Github because then we can not
> limit it to only valid committers who COULD commit.  Is that clearer?
>
> *Will STEVENS*
> Lead Developer
>
> *CloudOps* *| *Cloud Solutions Experts
> 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6
> w cloudops.com *|* tw @CloudOps_
>
> On Wed, Apr 6, 2016 at 11:07 AM, Rafael Weingärtner <
> rafaelweingartner@gmail.com> wrote:
>
> > I agree with Daan.
> >
> > On Wed, Apr 6, 2016 at 11:42 AM, Daan Hoogland <daan.hoogland@gmail.com>
> > wrote:
> >
> >> Will, we only need to be sure about the key's of committers. Only merge
> >> commits we need to be sure of the signature and the merger needs to be
> >> verify the code. He can not assure that the origin of the code is
> >> authentic
> >> but he can at least assure that the code is unchanged since contribution
> >> when it is signed. I don't think we need more.
> >>
> >> On Wed, Apr 6, 2016 at 4:33 PM, Will Stevens <wstevens@cloudops.com>
> >> wrote:
> >>
> >> > Ok, that is half.  But how do we verify that a Github user has a GPG
> key
> >> > that is matching what is registered in the ASF?  Just because you
> have a
> >> > GPG key does not mean you are an ASF committer, so the check would
> have
> >> to
> >> > be made to verify the GPG is registered to an ASF committer before
> they
> >> > would be allowed to actually commit via Github.  How would this be
> >> resolved?
> >> >
> >> > *Will STEVENS*
> >> > Lead Developer
> >> >
> >> > *CloudOps* *| *Cloud Solutions Experts
> >> > 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6
> >> > w cloudops.com *|* tw @CloudOps_
> >> >
> >> > On Wed, Apr 6, 2016 at 10:09 AM, Rafael Weingärtner <
> >> > rafaelweingartner@gmail.com> wrote:
> >> >
> >> >> There is a way to do that. When you become a committer, you can
> >> register a
> >> >> key at [1], then that key (public key) is loaded to [2]. The key is
> >> >> associated with the committer’s login. For instance, this is my
> public
> >> key
> >> >> [3].
> >> >>
> >> >> [1] id.apache.org
> >> >> [2] https://people.apache.org/keys/committer/
> >> >> [3] https://people.apache.org/keys/committer/rafael.asc
> >> >>
> >> >>
> >> >> On Wed, Apr 6, 2016 at 11:04 AM, Will Stevens <wstevens@cloudops.com
> >
> >> >> wrote:
> >> >>
> >> >> > I don't think it is quite this simple.  There would have to be
a
> way
> >> for
> >> >> > the GPG key to be associated with a specific ASF identity and
I
> don't
> >> >> think
> >> >> > that is in place at this time.  Also, there would have to be
> >> >> verification
> >> >> > that the person who is committing has a GPG key AND that they
are a
> >> >> > committer in ASF and have an identity there.  I think there are
> more
> >> >> moving
> >> >> > parts here than meet the eye, but we can definitely continue the
> >> >> discussion
> >> >> > and see where it can lead.
> >> >> >
> >> >> > *Will STEVENS*
> >> >> > Lead Developer
> >> >> >
> >> >> > *CloudOps* *| *Cloud Solutions Experts
> >> >> > 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6
> >> >> > w cloudops.com *|* tw @CloudOps_
> >> >> >
> >> >> > On Wed, Apr 6, 2016 at 5:00 AM, Wido den Hollander <wido@widodh.nl
> >
> >> >> wrote:
> >> >> >
> >> >> > >
> >> >> > > > Op 6 april 2016 om 10:50 schreef Daan Hoogland <
> >> >> > daan.hoogland@gmail.com
> >> >> > > >:
> >> >> > > >
> >> >> > > >
> >> >> > > > Good reading for the Wednesday morning;) yes I think
we need to
> >> go
> >> >> > there
> >> >> > > > and maybe even ask it of our contributors.
> >> >> > > >
> >> >> > >
> >> >> > > It might please the ASF since we can now prove who made the
> commit.
> >> >> If we
> >> >> > > ask
> >> >> > > all committers to upload their public key and sign their
commits
> we
> >> >> can
> >> >> > > check
> >> >> > > this.
> >> >> > >
> >> >> > > For Pull Requests we can probably also add a hook/check which
> >> verifies
> >> >> > if a
> >> >> > > signature is present.
> >> >> > >
> >> >> > > Wido
> >> >> > >
> >> >> > > > On Wed, Apr 6, 2016 at 9:28 AM, Wido den Hollander <
> >> wido@widodh.nl>
> >> >> > > wrote:
> >> >> > > >
> >> >> > > > > Hi,
> >> >> > > > >
> >> >> > > > > Github just added [0] support for verifying GPG
signatures of
> >> Git
> >> >> > > commits
> >> >> > > > > to the
> >> >> > > > > web interface.
> >> >> > > > >
> >> >> > > > > Under the settings page [1] you can now add your
public GPG
> >> key so
> >> >> > > Github
> >> >> > > > > can
> >> >> > > > > verify it.
> >> >> > > > >
> >> >> > > > > It's rather simple:
> >> >> > > > >
> >> >> > > > > $ gpg --armor --export wido@widodh.nl
> >> >> > > > >
> >> >> > > > > That gave me my public key which I could export.
> >> >> > > > >
> >> >> > > > > Git already supports signing [2] commits with your
key.
> >> >> > > > >
> >> >> > > > > This makes me wonder, is this something we want
to enforce?
> To
> >> me
> >> >> it
> >> >> > > seems
> >> >> > > > > like
> >> >> > > > > a good thing to have.
> >> >> > > > >
> >> >> > > > > Wido
> >> >> > > > >
> >> >> > > > > [0]: https://github.com/blog/2144-gpg-signature-verification
> >> >> > > > > [1]: https://github.com/settings/keys
> >> >> > > > > [2]:
> >> https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work
> >> >> > > > >
> >> >> > > >
> >> >> > > >
> >> >> > > >
> >> >> > > > --
> >> >> > > > Daan
> >> >> > >
> >> >> >
> >> >>
> >> >>
> >> >>
> >> >> --
> >> >> Rafael Weingärtner
> >> >>
> >> >
> >> >
> >>
> >>
> >> --
> >> Daan
> >>
> >
> >
> >
> > --
> > Rafael Weingärtner
> >
>



-- 
Daan

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message