cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daan Hoogland <daan.hoogl...@gmail.com>
Subject Re: GPG signing commits on Github
Date Wed, 06 Apr 2016 15:39:22 GMT
On Wed, Apr 6, 2016 at 5:37 PM, Rafael Weingärtner <
rafaelweingartner@gmail.com> wrote:

> Sorry, but I did not understand. We do not have commit access to Github,
> right?
>
​I think we are talking about the new to be cloudstack organisation, right
@Will?

​


>
> On Wed, Apr 6, 2016 at 12:35 PM, Daan Hoogland <daan.hoogland@gmail.com>
> wrote:
>
>> hm, no ;) We can control access to the organisation right? so we can
>> close it for committers that don't have a valid key. We just need to think
>> of a procedure for checking and registration.
>>
>> On Wed, Apr 6, 2016 at 5:33 PM, Will Stevens <wstevens@cloudops.com>
>> wrote:
>>
>>> Yes, I agree with both of you.  Maybe I am not being clear.  My point is
>>> only that we can't allow commit access on Github because then we can not
>>> limit it to only valid committers who COULD commit.  Is that clearer?
>>>
>>> *Will STEVENS*
>>> Lead Developer
>>>
>>> *CloudOps* *| *Cloud Solutions Experts
>>> 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6
>>> w cloudops.com *|* tw @CloudOps_
>>>
>>> On Wed, Apr 6, 2016 at 11:07 AM, Rafael Weingärtner <
>>> rafaelweingartner@gmail.com> wrote:
>>>
>>> > I agree with Daan.
>>> >
>>> > On Wed, Apr 6, 2016 at 11:42 AM, Daan Hoogland <
>>> daan.hoogland@gmail.com>
>>> > wrote:
>>> >
>>> >> Will, we only need to be sure about the key's of committers. Only
>>> merge
>>> >> commits we need to be sure of the signature and the merger needs to
be
>>> >> verify the code. He can not assure that the origin of the code is
>>> >> authentic
>>> >> but he can at least assure that the code is unchanged since
>>> contribution
>>> >> when it is signed. I don't think we need more.
>>> >>
>>> >> On Wed, Apr 6, 2016 at 4:33 PM, Will Stevens <wstevens@cloudops.com>
>>> >> wrote:
>>> >>
>>> >> > Ok, that is half.  But how do we verify that a Github user has
a
>>> GPG key
>>> >> > that is matching what is registered in the ASF?  Just because you
>>> have a
>>> >> > GPG key does not mean you are an ASF committer, so the check would
>>> have
>>> >> to
>>> >> > be made to verify the GPG is registered to an ASF committer before
>>> they
>>> >> > would be allowed to actually commit via Github.  How would this
be
>>> >> resolved?
>>> >> >
>>> >> > *Will STEVENS*
>>> >> > Lead Developer
>>> >> >
>>> >> > *CloudOps* *| *Cloud Solutions Experts
>>> >> > 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6
>>> >> > w cloudops.com *|* tw @CloudOps_
>>> >> >
>>> >> > On Wed, Apr 6, 2016 at 10:09 AM, Rafael Weingärtner <
>>> >> > rafaelweingartner@gmail.com> wrote:
>>> >> >
>>> >> >> There is a way to do that. When you become a committer, you
can
>>> >> register a
>>> >> >> key at [1], then that key (public key) is loaded to [2]. The
key is
>>> >> >> associated with the committer’s login. For instance, this
is my
>>> public
>>> >> key
>>> >> >> [3].
>>> >> >>
>>> >> >> [1] id.apache.org
>>> >> >> [2] https://people.apache.org/keys/committer/
>>> >> >> [3] https://people.apache.org/keys/committer/rafael.asc
>>> >> >>
>>> >> >>
>>> >> >> On Wed, Apr 6, 2016 at 11:04 AM, Will Stevens <
>>> wstevens@cloudops.com>
>>> >> >> wrote:
>>> >> >>
>>> >> >> > I don't think it is quite this simple.  There would have
to be a
>>> way
>>> >> for
>>> >> >> > the GPG key to be associated with a specific ASF identity
and I
>>> don't
>>> >> >> think
>>> >> >> > that is in place at this time.  Also, there would have
to be
>>> >> >> verification
>>> >> >> > that the person who is committing has a GPG key AND that
they
>>> are a
>>> >> >> > committer in ASF and have an identity there.  I think
there are
>>> more
>>> >> >> moving
>>> >> >> > parts here than meet the eye, but we can definitely continue
the
>>> >> >> discussion
>>> >> >> > and see where it can lead.
>>> >> >> >
>>> >> >> > *Will STEVENS*
>>> >> >> > Lead Developer
>>> >> >> >
>>> >> >> > *CloudOps* *| *Cloud Solutions Experts
>>> >> >> > 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6
>>> >> >> > w cloudops.com *|* tw @CloudOps_
>>> >> >> >
>>> >> >> > On Wed, Apr 6, 2016 at 5:00 AM, Wido den Hollander <
>>> wido@widodh.nl>
>>> >> >> wrote:
>>> >> >> >
>>> >> >> > >
>>> >> >> > > > Op 6 april 2016 om 10:50 schreef Daan Hoogland
<
>>> >> >> > daan.hoogland@gmail.com
>>> >> >> > > >:
>>> >> >> > > >
>>> >> >> > > >
>>> >> >> > > > Good reading for the Wednesday morning;) yes
I think we need
>>> to
>>> >> go
>>> >> >> > there
>>> >> >> > > > and maybe even ask it of our contributors.
>>> >> >> > > >
>>> >> >> > >
>>> >> >> > > It might please the ASF since we can now prove who
made the
>>> commit.
>>> >> >> If we
>>> >> >> > > ask
>>> >> >> > > all committers to upload their public key and sign
their
>>> commits we
>>> >> >> can
>>> >> >> > > check
>>> >> >> > > this.
>>> >> >> > >
>>> >> >> > > For Pull Requests we can probably also add a hook/check
which
>>> >> verifies
>>> >> >> > if a
>>> >> >> > > signature is present.
>>> >> >> > >
>>> >> >> > > Wido
>>> >> >> > >
>>> >> >> > > > On Wed, Apr 6, 2016 at 9:28 AM, Wido den Hollander
<
>>> >> wido@widodh.nl>
>>> >> >> > > wrote:
>>> >> >> > > >
>>> >> >> > > > > Hi,
>>> >> >> > > > >
>>> >> >> > > > > Github just added [0] support for verifying
GPG signatures
>>> of
>>> >> Git
>>> >> >> > > commits
>>> >> >> > > > > to the
>>> >> >> > > > > web interface.
>>> >> >> > > > >
>>> >> >> > > > > Under the settings page [1] you can now
add your public GPG
>>> >> key so
>>> >> >> > > Github
>>> >> >> > > > > can
>>> >> >> > > > > verify it.
>>> >> >> > > > >
>>> >> >> > > > > It's rather simple:
>>> >> >> > > > >
>>> >> >> > > > > $ gpg --armor --export wido@widodh.nl
>>> >> >> > > > >
>>> >> >> > > > > That gave me my public key which I could
export.
>>> >> >> > > > >
>>> >> >> > > > > Git already supports signing [2] commits
with your key.
>>> >> >> > > > >
>>> >> >> > > > > This makes me wonder, is this something
we want to
>>> enforce? To
>>> >> me
>>> >> >> it
>>> >> >> > > seems
>>> >> >> > > > > like
>>> >> >> > > > > a good thing to have.
>>> >> >> > > > >
>>> >> >> > > > > Wido
>>> >> >> > > > >
>>> >> >> > > > > [0]:
>>> https://github.com/blog/2144-gpg-signature-verification
>>> >> >> > > > > [1]: https://github.com/settings/keys
>>> >> >> > > > > [2]:
>>> >> https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work
>>> >> >> > > > >
>>> >> >> > > >
>>> >> >> > > >
>>> >> >> > > >
>>> >> >> > > > --
>>> >> >> > > > Daan
>>> >> >> > >
>>> >> >> >
>>> >> >>
>>> >> >>
>>> >> >>
>>> >> >> --
>>> >> >> Rafael Weingärtner
>>> >> >>
>>> >> >
>>> >> >
>>> >>
>>> >>
>>> >> --
>>> >> Daan
>>> >>
>>> >
>>> >
>>> >
>>> > --
>>> > Rafael Weingärtner
>>> >
>>>
>>
>>
>>
>> --
>> Daan
>>
>
>
>
> --
> Rafael Weingärtner
>



-- 
Daan

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message