Return-Path: 
 <dev-return-91209-apmail-cloudstack-dev-archive=cloudstack.apache.org@cloudstack.apache.org>
X-Original-To: apmail-cloudstack-dev-archive@www.apache.org
Delivered-To: apmail-cloudstack-dev-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 0576019759
	for <apmail-cloudstack-dev-archive@www.apache.org>;
 Wed,  6 Apr 2016 14:04:39 +0000 (UTC)
Received: (qmail 52176 invoked by uid 500); 6 Apr 2016 14:04:38 -0000
Delivered-To: apmail-cloudstack-dev-archive@cloudstack.apache.org
Received: (qmail 52121 invoked by uid 500); 6 Apr 2016 14:04:38 -0000
Mailing-List: contact dev-help@cloudstack.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@cloudstack.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@cloudstack.apache.org>
List-Post: <mailto:dev@cloudstack.apache.org>
List-Id: <dev.cloudstack.apache.org>
Reply-To: dev@cloudstack.apache.org
Delivered-To: mailing list dev@cloudstack.apache.org
Received: (qmail 52108 invoked by uid 99); 6 Apr 2016 14:04:38 -0000
Received: from pnap-us-west-generic-nat.apache.org (HELO
 spamd4-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 06 Apr 2016 14:04:38 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org)
 with ESMTP id D3EC4C0B05
	for <dev@cloudstack.apache.org>; Wed,  6 Apr 2016 14:04:37 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: 1.18
X-Spam-Level: *
X-Spam-Status: No, score=1.18 tagged_above=-999 required=6.31
	tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
	HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=2,
	RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01,
	RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=disabled
Authentication-Results: spamd4-us-west.apache.org (amavisd-new);
	dkim=pass (2048-bit key) header.d=gmail.com header.b=xUUsg41s;
	dkim=pass (1024-bit key) header.d=cloudops.com header.b=UZs/NWp6
Received: from mx2-lw-us.apache.org ([10.40.0.8])
	by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new,
 port 10024)
	with ESMTP id IZCwhllRfqWY for <dev@cloudstack.apache.org>;
	Wed,  6 Apr 2016 14:04:35 +0000 (UTC)
Received: from mail-oi0-f49.google.com (mail-oi0-f49.google.com
 [209.85.218.49])
	by mx2-lw-us.apache.org (ASF Mail Server at mx2-lw-us.apache.org) with ESMTPS
 id 5B5805FAD3
	for <dev@cloudstack.apache.org>; Wed,  6 Apr 2016 14:04:35 +0000 (UTC)
Received: by mail-oi0-f49.google.com with SMTP id p188so59052954oih.2
        for <dev@cloudstack.apache.org>; Wed, 06 Apr 2016 07:04:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:date:message-id:subject
         :from:to:cc;
        bh=U8JZW0wyR6CGOADa61DJwjnt8UgDkLdRBxoEFRr6N7s=;
        b=xUUsg41sfkjvZ1xoKC4EveTWJ238Aoi7UMaPPFZ6/6iXoGBxtthDNGZvsb8K5ADxca
         T1IqTKFGDbOZW7swp4tCvORUeWvPQ3MYsuZoTHKxU/d39TA7/XwSD8lsjGZcNm9wglai
         yVjcm9G6poqGS5MkggzQMrWVmWEcs0MAkpVUgEkE+v33hu/hZwqFu4l7a7EWOQbj00Mm
         JJjPlbgXiwsqNgxQ3gPCl4p+GfYfpcxEw8uZzdi+enEDc1XXtcU2Of+w0S+K6f0vVQlf
         TxEmy13Wbqd0dsodTZbZRL5KiyDtecVFsws+DZeuccEHKuBRdcb/zg2erDTNzlS361KK
         zNcQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=cloudops.com; s=google;
        h=mime-version:sender:in-reply-to:references:date:message-id:subject
         :from:to:cc;
        bh=U8JZW0wyR6CGOADa61DJwjnt8UgDkLdRBxoEFRr6N7s=;
        b=UZs/NWp6LtnZ/UQQaAvqbdmVmGZb3kUTHNz+W7WtgHsRHygEuJw5FMs6qelYzbs4Kd
         bQM+rBJf/sAvGMzKRYh0A5bep+oNNVNzSC/uVmvRU1cjXz5shg7uZx6EC7eWDbdbL3QY
         vVrI/mkIbBXSJM/baoLNjFKBMDiysMLsPp9tY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:sender:in-reply-to:references:date
         :message-id:subject:from:to:cc;
        bh=U8JZW0wyR6CGOADa61DJwjnt8UgDkLdRBxoEFRr6N7s=;
        b=e/4BnPzFRRukHFn5smoGmvn2Uo4y9pAPZ9xCxZax3X+Ej4YkYH3ecZAeVUcnQVlGEp
         6v6HxolOo+ef/JxDOa2z7lE/peS7Z/zgzgCZpmjlwfe1WQIiZIsFwSgd54A3hwB+NuQ6
         biiIfQFBUUroBQiOzfq/bmt16we+pFZ3YTZQ6An2CsQPQYGFi0yyqAjUYYaEL6IL7Ib7
         EhfHOGv3jrNjTHQduzOtg5qR4wAUncZlDfkHYkkSNV6fxUnH+og+9R0fePwQjvwHmnvf
         EsJB/F81xZzjhdBMK2UIInohu42b1+bUzbzfbI16oy9udnBQSJknpQtSqnMsBpbJpQEL
         X7mA==
X-Gm-Message-State: 
 AD7BkJJ7TRqclrWhXAwwo1uGLLTQDbzlDzzy6TTV0AsS0wfTBIhwN+/vecQ9b492hgPwjnvVtCXRJsSfZ6LqHA==
MIME-Version: 1.0
X-Received: by 10.202.76.10 with SMTP id z10mr14797925oia.64.1459951465787;
 Wed, 06 Apr 2016 07:04:25 -0700 (PDT)
Sender: williamstevens@gmail.com
Received: by 10.202.200.11 with HTTP; Wed, 6 Apr 2016 07:04:25 -0700 (PDT)
In-Reply-To: 
 <1546827944.2403.160e133c-ee3f-4c6e-9b8b-e4d468651d78.open-xchange@ox.pcextreme.nl>
References: 
 <8411537.2366.160e133c-ee3f-4c6e-9b8b-e4d468651d78.open-xchange@ox.pcextreme.nl>
	<CAGQtxvYdqXZhO_BUkrUskkkAAaNLs2ghBKkbKvL4jAmTq1-6WQ@mail.gmail.com>
	<1546827944.2403.160e133c-ee3f-4c6e-9b8b-e4d468651d78.open-xchange@ox.pcextreme.nl>
Date: Wed, 6 Apr 2016 10:04:25 -0400
X-Google-Sender-Auth: 0P1vePIju0pi7r8gnREbyuVhZxk
Message-ID: 
 <CAC2panrBA6LLwJPMDqDUHbob_QSs3=qD6=b3yZqQP4C9XR9m4g@mail.gmail.com>
Subject: Re: GPG signing commits on Github
From: Will Stevens <wstevens@cloudops.com>
To: "dev@cloudstack.apache.org" <dev@cloudstack.apache.org>
Cc: Daan Hoogland <daan.hoogland@gmail.com>
Content-Type: multipart/alternative; boundary=001a113dec26821c21052fd170b6

--001a113dec26821c21052fd170b6
Content-Type: text/plain; charset=UTF-8

I don't think it is quite this simple.  There would have to be a way for
the GPG key to be associated with a specific ASF identity and I don't think
that is in place at this time.  Also, there would have to be verification
that the person who is committing has a GPG key AND that they are a
committer in ASF and have an identity there.  I think there are more moving
parts here than meet the eye, but we can definitely continue the discussion
and see where it can lead.

*Will STEVENS*
Lead Developer

*CloudOps* *| *Cloud Solutions Experts
420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6
w cloudops.com *|* tw @CloudOps_

On Wed, Apr 6, 2016 at 5:00 AM, Wido den Hollander <wido@widodh.nl> wrote:

>
> > Op 6 april 2016 om 10:50 schreef Daan Hoogland <daan.hoogland@gmail.com
> >:
> >
> >
> > Good reading for the Wednesday morning;) yes I think we need to go there
> > and maybe even ask it of our contributors.
> >
>
> It might please the ASF since we can now prove who made the commit. If we
> ask
> all committers to upload their public key and sign their commits we can
> check
> this.
>
> For Pull Requests we can probably also add a hook/check which verifies if a
> signature is present.
>
> Wido
>
> > On Wed, Apr 6, 2016 at 9:28 AM, Wido den Hollander <wido@widodh.nl>
> wrote:
> >
> > > Hi,
> > >
> > > Github just added [0] support for verifying GPG signatures of Git
> commits
> > > to the
> > > web interface.
> > >
> > > Under the settings page [1] you can now add your public GPG key so
> Github
> > > can
> > > verify it.
> > >
> > > It's rather simple:
> > >
> > > $ gpg --armor --export wido@widodh.nl
> > >
> > > That gave me my public key which I could export.
> > >
> > > Git already supports signing [2] commits with your key.
> > >
> > > This makes me wonder, is this something we want to enforce? To me it
> seems
> > > like
> > > a good thing to have.
> > >
> > > Wido
> > >
> > > [0]: https://github.com/blog/2144-gpg-signature-verification
> > > [1]: https://github.com/settings/keys
> > > [2]: https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work
> > >
> >
> >
> >
> > --
> > Daan
>

--001a113dec26821c21052fd170b6--