Return-Path: X-Original-To: apmail-cloudstack-dev-archive@www.apache.org Delivered-To: apmail-cloudstack-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 53C0519B50 for ; Wed, 6 Apr 2016 15:36:19 +0000 (UTC) Received: (qmail 22376 invoked by uid 500); 6 Apr 2016 15:36:18 -0000 Delivered-To: apmail-cloudstack-dev-archive@cloudstack.apache.org Received: (qmail 22321 invoked by uid 500); 6 Apr 2016 15:36:18 -0000 Mailing-List: contact dev-help@cloudstack.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cloudstack.apache.org Delivered-To: mailing list dev@cloudstack.apache.org Received: (qmail 22299 invoked by uid 99); 6 Apr 2016 15:36:18 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 06 Apr 2016 15:36:18 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id 2786D18027E for ; Wed, 6 Apr 2016 15:36:18 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 1.179 X-Spam-Level: * X-Spam-Status: No, score=1.179 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=2, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=disabled Authentication-Results: spamd3-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx2-lw-us.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id iJDpXayLJKTr for ; Wed, 6 Apr 2016 15:36:15 +0000 (UTC) Received: from mail-wm0-f53.google.com (mail-wm0-f53.google.com [74.125.82.53]) by mx2-lw-us.apache.org (ASF Mail Server at mx2-lw-us.apache.org) with ESMTPS id 3DE715F39C for ; Wed, 6 Apr 2016 15:36:15 +0000 (UTC) Received: by mail-wm0-f53.google.com with SMTP id u206so51205530wme.1 for ; Wed, 06 Apr 2016 08:36:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=pKdVtq9I9J2pY7myhi5H0lReb5rlhukjZ/gT6admaQY=; b=NenNNGse29ez6gA55SFtRgJKNegEetWxPflxlpqGALfeaJZEBwssy6x7WBthxg4JV7 +jVQuXnQ4Fjie9QIffhYTdL5N9huxH9iiE8y2u1iIREn/u8XrBEtfBMosyO0aJFvdDza nw01/zAGfv22qMbe2NFBiHfzreC1YgFp9dZzwR9T8WD8hTyScDIl91tBZHbk7RcqRe6i LoQ1OoURdhz6XK7q1fMrgGLi/ZvEi143M2TI7jTqu6Q25UmldZiIZUuXU9WfoNg9kE64 /ubIDyGiljklEaxwmkynt/bIedbWrj/yicMB06vEZIwivUMv3oTbwwqurznERBy/JEos ckgQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=pKdVtq9I9J2pY7myhi5H0lReb5rlhukjZ/gT6admaQY=; b=axXQ9GqI6aAKdGa6p3GF8Ur9ySi3SO83gcTyIs8NuhH0qvOwlSXycSKsjM9PSESRJQ HN5QOtbGJ9OANN3uQZeGuBeXUiyxcXvhNVCjdN4lwRB0dnlnbZPTchMAqIfUEce71zS/ XWcV1wylSNOqcEiphkRyqdJ6XgErXLr2ue1/DJKx4K/gZl6mxVhVJ4sPeATlSuyLrR38 UJ/SkGCKKuCU2/Yuuyu05tlXu2pz/TljZZPKWjFoodkGtim97V0WXkx4NgUpW2qBXeF6 98Ad1pfOYrXa4MWn1ZZLeAALf6lKvNao2/T2iw/zVMsnD65bTH9YRU2LYNeZ19r4Cwxz pNgA== X-Gm-Message-State: AD7BkJIrvIWFxSNQU5Oar0jU24xMPVa4cQW5qTIabGONtFSmLWuDxQ79e9E8yDxhtlRF9gTeIgKP+VSGoMnrtA== X-Received: by 10.28.158.78 with SMTP id h75mr22499534wme.53.1459956968215; Wed, 06 Apr 2016 08:36:08 -0700 (PDT) MIME-Version: 1.0 Received: by 10.28.125.67 with HTTP; Wed, 6 Apr 2016 08:35:48 -0700 (PDT) In-Reply-To: References: <8411537.2366.160e133c-ee3f-4c6e-9b8b-e4d468651d78.open-xchange@ox.pcextreme.nl> <1546827944.2403.160e133c-ee3f-4c6e-9b8b-e4d468651d78.open-xchange@ox.pcextreme.nl> From: Daan Hoogland Date: Wed, 6 Apr 2016 17:35:48 +0200 Message-ID: Subject: Re: GPG signing commits on Github To: dev Cc: =?UTF-8?Q?Rafael_Weing=C3=A4rtner?= Content-Type: multipart/alternative; boundary=001a114b386c7a5b95052fd2b842 --001a114b386c7a5b95052fd2b842 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable hm, no ;) We can control access to the organisation right? so we can close it for committers that don't have a valid key. We just need to think of a procedure for checking and registration. On Wed, Apr 6, 2016 at 5:33 PM, Will Stevens wrote: > Yes, I agree with both of you. Maybe I am not being clear. My point is > only that we can't allow commit access on Github because then we can not > limit it to only valid committers who COULD commit. Is that clearer? > > *Will STEVENS* > Lead Developer > > *CloudOps* *| *Cloud Solutions Experts > 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6 > w cloudops.com *|* tw @CloudOps_ > > On Wed, Apr 6, 2016 at 11:07 AM, Rafael Weing=C3=A4rtner < > rafaelweingartner@gmail.com> wrote: > > > I agree with Daan. > > > > On Wed, Apr 6, 2016 at 11:42 AM, Daan Hoogland > > wrote: > > > >> Will, we only need to be sure about the key's of committers. Only merg= e > >> commits we need to be sure of the signature and the merger needs to be > >> verify the code. He can not assure that the origin of the code is > >> authentic > >> but he can at least assure that the code is unchanged since contributi= on > >> when it is signed. I don't think we need more. > >> > >> On Wed, Apr 6, 2016 at 4:33 PM, Will Stevens > >> wrote: > >> > >> > Ok, that is half. But how do we verify that a Github user has a GPG > key > >> > that is matching what is registered in the ASF? Just because you > have a > >> > GPG key does not mean you are an ASF committer, so the check would > have > >> to > >> > be made to verify the GPG is registered to an ASF committer before > they > >> > would be allowed to actually commit via Github. How would this be > >> resolved? > >> > > >> > *Will STEVENS* > >> > Lead Developer > >> > > >> > *CloudOps* *| *Cloud Solutions Experts > >> > 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6 > >> > w cloudops.com *|* tw @CloudOps_ > >> > > >> > On Wed, Apr 6, 2016 at 10:09 AM, Rafael Weing=C3=A4rtner < > >> > rafaelweingartner@gmail.com> wrote: > >> > > >> >> There is a way to do that. When you become a committer, you can > >> register a > >> >> key at [1], then that key (public key) is loaded to [2]. The key is > >> >> associated with the committer=E2=80=99s login. For instance, this i= s my > public > >> key > >> >> [3]. > >> >> > >> >> [1] id.apache.org > >> >> [2] https://people.apache.org/keys/committer/ > >> >> [3] https://people.apache.org/keys/committer/rafael.asc > >> >> > >> >> > >> >> On Wed, Apr 6, 2016 at 11:04 AM, Will Stevens > > >> >> wrote: > >> >> > >> >> > I don't think it is quite this simple. There would have to be a > way > >> for > >> >> > the GPG key to be associated with a specific ASF identity and I > don't > >> >> think > >> >> > that is in place at this time. Also, there would have to be > >> >> verification > >> >> > that the person who is committing has a GPG key AND that they are= a > >> >> > committer in ASF and have an identity there. I think there are > more > >> >> moving > >> >> > parts here than meet the eye, but we can definitely continue the > >> >> discussion > >> >> > and see where it can lead. > >> >> > > >> >> > *Will STEVENS* > >> >> > Lead Developer > >> >> > > >> >> > *CloudOps* *| *Cloud Solutions Experts > >> >> > 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6 > >> >> > w cloudops.com *|* tw @CloudOps_ > >> >> > > >> >> > On Wed, Apr 6, 2016 at 5:00 AM, Wido den Hollander > > >> >> wrote: > >> >> > > >> >> > > > >> >> > > > Op 6 april 2016 om 10:50 schreef Daan Hoogland < > >> >> > daan.hoogland@gmail.com > >> >> > > >: > >> >> > > > > >> >> > > > > >> >> > > > Good reading for the Wednesday morning;) yes I think we need = to > >> go > >> >> > there > >> >> > > > and maybe even ask it of our contributors. > >> >> > > > > >> >> > > > >> >> > > It might please the ASF since we can now prove who made the > commit. > >> >> If we > >> >> > > ask > >> >> > > all committers to upload their public key and sign their commit= s > we > >> >> can > >> >> > > check > >> >> > > this. > >> >> > > > >> >> > > For Pull Requests we can probably also add a hook/check which > >> verifies > >> >> > if a > >> >> > > signature is present. > >> >> > > > >> >> > > Wido > >> >> > > > >> >> > > > On Wed, Apr 6, 2016 at 9:28 AM, Wido den Hollander < > >> wido@widodh.nl> > >> >> > > wrote: > >> >> > > > > >> >> > > > > Hi, > >> >> > > > > > >> >> > > > > Github just added [0] support for verifying GPG signatures = of > >> Git > >> >> > > commits > >> >> > > > > to the > >> >> > > > > web interface. > >> >> > > > > > >> >> > > > > Under the settings page [1] you can now add your public GPG > >> key so > >> >> > > Github > >> >> > > > > can > >> >> > > > > verify it. > >> >> > > > > > >> >> > > > > It's rather simple: > >> >> > > > > > >> >> > > > > $ gpg --armor --export wido@widodh.nl > >> >> > > > > > >> >> > > > > That gave me my public key which I could export. > >> >> > > > > > >> >> > > > > Git already supports signing [2] commits with your key. > >> >> > > > > > >> >> > > > > This makes me wonder, is this something we want to enforce? > To > >> me > >> >> it > >> >> > > seems > >> >> > > > > like > >> >> > > > > a good thing to have. > >> >> > > > > > >> >> > > > > Wido > >> >> > > > > > >> >> > > > > [0]: https://github.com/blog/2144-gpg-signature-verificatio= n > >> >> > > > > [1]: https://github.com/settings/keys > >> >> > > > > [2]: > >> https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work > >> >> > > > > > >> >> > > > > >> >> > > > > >> >> > > > > >> >> > > > -- > >> >> > > > Daan > >> >> > > > >> >> > > >> >> > >> >> > >> >> > >> >> -- > >> >> Rafael Weing=C3=A4rtner > >> >> > >> > > >> > > >> > >> > >> -- > >> Daan > >> > > > > > > > > -- > > Rafael Weing=C3=A4rtner > > > --=20 Daan --001a114b386c7a5b95052fd2b842--