polygene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sandro Martini <sandro.mart...@gmail.com>
Subject Re: Commit signing?
Date Thu, 29 Oct 2015 22:34:32 GMT
Hi Niclas,
after reading so many emails on Git and code provenance (and maybe
lost some email ...) I fear to introduce only a small complexity
without too much gain ... anyway I think that we could try something,
if not in main repository in zest-sandbox.

I have a Code Signing PGP key with my Apache ID that's still valid; to
begin we could exchange our public key between us :-) . And then add
to KEYS file in Zest source repository.
My Key ID is: F9EDAF10 , note that's published at MIT Key Server
(should be valid, please tell me if not because it's not clear); you
can find it even here (two asc files but it's the same key):
I put here in attach here just for convenience.

Niclas, your ?
Paul and others ?

Stay well.


2015-10-28 2:32 GMT+01:00 Niclas Hedhman <niclas@hedhman.org>:
> Hi,
> There are some internal debate about how to ensure provenance in a Git and
> GitHub world. I can't say how that discussion is going, but one idea that
> surfaced, which we (the projects) can do regardless of the total outcome,
> to improve code provenance is to sign our commits.
> I first note that IntelliJ doesn't support for commit signing directly.
> Secondly, http://mikegerwitz.com/papers/git-horror-story (I hope I typed
> that correctly) is a must read.
> In that paper, I am specifically talking about Option #3 (as I doubt that
> we (Zest) will get too many pull requests that are many commits long)
> This seems to be something that can be introduced incrementally and at slow
> pace, which is something we like at Apache. Trust enforcement and all of
> that can be done later, and perhaps other projects will lead the way...
> I would like to hear what people think about this...
> Cheers
> Niclas
> P.S. I am now settled in, in Shanghai and just started to work on a new
> Zest based app on my spare time, so activity should start to pick up again.

View raw message