Return-Path: 
 <dev-return-1409-apmail-zest-dev-archive=zest.apache.org@zest.apache.org>
X-Original-To: apmail-zest-dev-archive@minotaur.apache.org
Delivered-To: apmail-zest-dev-archive@minotaur.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 1008318D73
	for <apmail-zest-dev-archive@minotaur.apache.org>;
 Thu, 29 Oct 2015 22:34:44 +0000 (UTC)
Received: (qmail 46175 invoked by uid 500); 29 Oct 2015 22:34:44 -0000
Delivered-To: apmail-zest-dev-archive@zest.apache.org
Received: (qmail 46132 invoked by uid 500); 29 Oct 2015 22:34:44 -0000
Mailing-List: contact dev-help@zest.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@zest.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@zest.apache.org>
List-Post: <mailto:dev@zest.apache.org>
List-Id: <dev.zest.apache.org>
Reply-To: dev@zest.apache.org
Delivered-To: mailing list dev@zest.apache.org
Received: (qmail 46118 invoked by uid 99); 29 Oct 2015 22:34:43 -0000
Received: from Unknown (HELO spamd1-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 29 Oct 2015 22:34:43 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org)
 with ESMTP id 422E1C613A
	for <dev@zest.apache.org>; Thu, 29 Oct 2015 22:34:43 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: -0.1
X-Spam-Level: 
X-Spam-Status: No, score=-0.1 tagged_above=-999 required=6.31
	tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
	SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=disabled
Authentication-Results: spamd1-us-west.apache.org (amavisd-new);
	dkim=pass (2048-bit key) header.d=gmail.com
Received: from mx1-us-west.apache.org ([10.40.0.8])
	by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new,
 port 10024)
	with ESMTP id jhWkbMPytnDP for <dev@zest.apache.org>;
	Thu, 29 Oct 2015 22:34:34 +0000 (UTC)
Received: from mail-lb0-f173.google.com (mail-lb0-f173.google.com
 [209.85.217.173])
	by mx1-us-west.apache.org (ASF Mail Server at mx1-us-west.apache.org) with
 ESMTPS id 3390720751
	for <dev@zest.apache.org>; Thu, 29 Oct 2015 22:34:34 +0000 (UTC)
Received: by lbbwb3 with SMTP id wb3so38936679lbb.1
        for <dev@zest.apache.org>; Thu, 29 Oct 2015 15:34:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :content-type;
        bh=nd138Cudas5tWo5qQ8im/9kKDEcMaCO/SOLhXCgv7lA=;
        b=orczaZzcFz98icbK4Rs1FMdsoMMbpWMW5qEMxwoUx0buDIBPODsHd6XJIfmO4YzUN+
         UQo0qAAAcqe6eyrwKbNJr9wYwLJhcCf9p5Zwu9TIG92khbEhwQp1bZ49bCb8Pa2pEXOP
         JkitykVLYpx1IaFsaUWBW7tHQO3A1WvQq4ANGbeCtWjdG0xTTLlyqCwFegVf+9KVpjKF
         wOdNEiJxwb2p5W1R3SfFZcJyaEjP/jWrsauxaTUC9q/xRgNqhayapgGr7XpSNdB1hOKC
         UsKbgx0RT1QS+tj2a95wHbwzmxgQfIotGGvCt3/Ix3GszrKwcuhSDs/mo7KgIFgMKj9P
         tMHg==
MIME-Version: 1.0
X-Received: by 10.112.72.40 with SMTP id a8mr2296923lbv.55.1446158072603; Thu,
 29 Oct 2015 15:34:32 -0700 (PDT)
Received: by 10.112.7.169 with HTTP; Thu, 29 Oct 2015 15:34:32 -0700 (PDT)
In-Reply-To: 
 <CADmm+KdMAt7qx6WNE+U5TXay32iLCX5yPxcyKRH4f4NoVx9_Wg@mail.gmail.com>
References: 
 <CADmm+KfkJwmGQ6=GJFc1hVaag7H=fFsqwNsUJykNAtA9Y_3JXQ@mail.gmail.com>
	<CADmm+Kdz4TetTkDfeBmf79QaqkK9jP1_WZEWsXhYT7Qhpy6+Og@mail.gmail.com>
	<CADmm+Ke6YobafHa=DHW2gEPWh8q+Ecbx1W1VgVHnuubnjd+Wzw@mail.gmail.com>
	<CADmm+KdMAt7qx6WNE+U5TXay32iLCX5yPxcyKRH4f4NoVx9_Wg@mail.gmail.com>
Date: Thu, 29 Oct 2015 23:34:32 +0100
Message-ID: 
 <CAH4gT7rEoCuh7+8hfOUPk8_qrrQEKt64JhkG5Rkd-DA=2MijoA@mail.gmail.com>
Subject: Re: Commit signing?
From: Sandro Martini <sandro.martini@gmail.com>
To: dev@zest.apache.org
Content-Type: multipart/mixed; boundary=001a11c23e2e357be5052345eae5

--001a11c23e2e357be5052345eae5
Content-Type: text/plain; charset=UTF-8

Hi Niclas,
after reading so many emails on Git and code provenance (and maybe
lost some email ...) I fear to introduce only a small complexity
without too much gain ... anyway I think that we could try something,
if not in main repository in zest-sandbox.

I have a Code Signing PGP key with my Apache ID that's still valid; to
begin we could exchange our public key between us :-) . And then add
to KEYS file in Zest source repository.
My Key ID is: F9EDAF10 , note that's published at MIT Key Server
(should be valid, please tell me if not because it's not clear); you
can find it even here (two asc files but it's the same key):
http://people.apache.org/~smartini/
I put here in attach here just for convenience.

Niclas, your ?
Paul and others ?

Stay well.

Bye,
Sandro

2015-10-28 2:32 GMT+01:00 Niclas Hedhman <niclas@hedhman.org>:
> Hi,
> There are some internal debate about how to ensure provenance in a Git and
> GitHub world. I can't say how that discussion is going, but one idea that
> surfaced, which we (the projects) can do regardless of the total outcome,
> to improve code provenance is to sign our commits.
>
> I first note that IntelliJ doesn't support for commit signing directly.
>
> Secondly, http://mikegerwitz.com/papers/git-horror-story (I hope I typed
> that correctly) is a must read.
>
> In that paper, I am specifically talking about Option #3 (as I doubt that
> we (Zest) will get too many pull requests that are many commits long)
>
> This seems to be something that can be introduced incrementally and at slow
> pace, which is something we like at Apache. Trust enforcement and all of
> that can be done later, and perhaps other projects will lead the way...
>
> I would like to hear what people think about this...
>
> Cheers
> Niclas
>
> P.S. I am now settled in, in Shanghai and just started to work on a new
> Zest based app on my spare time, so activity should start to pick up again.

--001a11c23e2e357be5052345eae5
Content-Type: text/plain; charset=US-ASCII; name="smartini_apache.asc"
Content-Disposition: attachment; filename="smartini_apache.asc"
Content-Transfer-Encoding: base64
X-Attachment-Id: f_igcsu1gj0

LS0tLS1CRUdJTiBQR1AgUFVCTElDIEtFWSBCTE9DSy0tLS0tDQpWZXJzaW9uOiBHbnVQRyB2Mi4w
LjE3IChNaW5nVzMyKQ0KDQptUUVOQkU1U2N4WUJDQUM4QjlDSUh4Yjdyb3VLbm1USmJKT3pXQ3Nq
WUF4OUNUSHhOWUdZSTRiYk03TS90eVRoDQo3M1JleDVBZjhVa0JlWnNGUFJZMHlYTHRnV0tGbXFo
dFBhTTlnQWd2Rlp1L0ZpL2MzMEhzTVc2U3l1b016WFJGDQpzWWZlNnJhK3VhbnFmMFNUZk1Eam9q
TkNERUxiamZDK3k0ejFNRlUvSXlRVWtlNmpudXA2UEZmQWo5b2xzRDhmDQpiSE55L0JVL0o3aWlj
T2NxWStvV2lDaTcxa05HQU14MU9oL2lVNWwwSFB3M3FERHo0ZEU5UE80azhkQTBzUElIDQoweGNa
dVB6QUFFaFZ4bjVKK1o4dXZaMUZveGNlS3ZpdjVsWFdtKzVZZWpteVVkcldwR2RXbytsS01nb2p6
blBCDQpkVjNZS2F6RXVaTHBEaVBQRG5FZ2c5QzdFSXJTSjFlKzFXZ2hBQkVCQUFHMExWTmhibVJ5
YnlCTllYSjBhVzVwDQpJQzBnUVhCaFkyaGxJRHh6YldGeWRHbHVhVUJoY0dGamFHVXViM0puUG9r
Qk9BUVRBUUlBSWdJYkR3WUxDUWdIDQpBd0lHRlFnQ0NRb0xCQllDQXdFQ0hnRUNGNEFGQWs1bFRo
c0FDZ2tRWkYvWWh2bnRyeEQ2ZlFmL1hEMjFmaW1ODQpVSDk1UnVtV0RqZXVnbUg4NkdkQVlxWVNr
V25lUWJEbm5FZUZpaWdaalJ4eDVRZUhNa2JIdC9RRG5sZ2kyaUc4DQptckVTcTFjSHBUSXJGWFFs
eVBhNnBBb0JzSzc4dFBWS1lJOGZ3WTRuSTNIa0xXcGRHWTlLUDY2SWhsNFdEdDRWDQpoR0JCenY5
WFNCY3pIZko1Y0tRcDdWeGw2cVpsdEJGazhxYkt4NExuZi9XUzkzNlBMTjZhbDZiaTBoMENDQ3FN
DQpabnFjL2xhK253blhjQmE2cmVJWVppKzZMM1FRQkJFU1dDTU1ZcjdZa0lRNXlGbmNtUHNXc2Fs
K0NaaXFPUTI5DQpVY0g0QjZnV1ZPcWpmWHNjZUY1bUF2ZmRxVlM3Y2dxL2x0dlc4VUtNWkhwRk11
WUlndExNeUlkaTdkRUFicEYzDQpEUVFVNk9WZkRYRlk5dz09DQo9UGxQOQ0KLS0tLS1FTkQgUEdQ
IFBVQkxJQyBLRVkgQkxPQ0stLS0tLQ0K
--001a11c23e2e357be5052345eae5--