You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@cloudstack.apache.org by Wido den Hollander <wi...@widodh.nl> on 2016/04/06 09:28:53 UTC

GPG signing commits on Github

Hi,

Github just added [0] support for verifying GPG signatures of Git commits to the
web interface.

Under the settings page [1] you can now add your public GPG key so Github can
verify it.

It's rather simple:

$ gpg --armor --export wido@widodh.nl

That gave me my public key which I could export.

Git already supports signing [2] commits with your key.

This makes me wonder, is this something we want to enforce? To me it seems like
a good thing to have.

Wido

[0]: https://github.com/blog/2144-gpg-signature-verification
[1]: https://github.com/settings/keys
[2]: https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work

Re: GPG signing commits on Github

Posted by Will Stevens <ws...@cloudops.com>.
Ok cool.  I was jumping to conclusions.  :P  My bad...

*Will STEVENS*
Lead Developer

*CloudOps* *| *Cloud Solutions Experts
420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6
w cloudops.com *|* tw @CloudOps_

On Wed, Apr 6, 2016 at 5:08 PM, Wido den Hollander <wi...@widodh.nl> wrote:

>
> > Op 6 april 2016 om 19:16 schreef Will Stevens <ws...@cloudops.com>:
> >
> >
> > yes, for now.  this is something I want to work towards, but we have to
> be
> > patent and go one step at a time.
> >
>
> Yes. I never meant this to be implemented right now.
>
> For me it seemed like a good thing so that we can prove where a commit came
> from. You can fake the Author in a commit. You can't fake a GPG signature.
>
> That's all. Just nice that Github now has the support.
>
> Wido
>
> > *Will STEVENS*
> > Lead Developer
> >
> > *CloudOps* *| *Cloud Solutions Experts
> > 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6
> > w cloudops.com *|* tw @CloudOps_
> >
> > On Wed, Apr 6, 2016 at 1:06 PM, Daan Hoogland <da...@gmail.com>
> > wrote:
> >
> > >
> > > On Wed, Apr 6, 2016 at 6:58 PM, Will Stevens <ws...@cloudops.com>
> > > wrote:
> > >
> > >> but we have to work with the ASF
> > >
> > >
> > > ​so we can not go there tomorrow but maybe the day after. Both we and
> the
> > > foundation​ want signed commits so in the end we can be using github
> for
> > > this as well. As long as there is no commit access to github this
> > > functionality is not for us, so this discussion is future dreams
> anyhow.
> > >
> > >
> > >
> > > --
> > > Daan
> > >
>

Re: GPG signing commits on Github

Posted by Wido den Hollander <wi...@widodh.nl>.
> Op 6 april 2016 om 19:16 schreef Will Stevens <ws...@cloudops.com>:
> 
> 
> yes, for now.  this is something I want to work towards, but we have to be
> patent and go one step at a time.
> 

Yes. I never meant this to be implemented right now.

For me it seemed like a good thing so that we can prove where a commit came
from. You can fake the Author in a commit. You can't fake a GPG signature.

That's all. Just nice that Github now has the support.

Wido

> *Will STEVENS*
> Lead Developer
> 
> *CloudOps* *| *Cloud Solutions Experts
> 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6
> w cloudops.com *|* tw @CloudOps_
> 
> On Wed, Apr 6, 2016 at 1:06 PM, Daan Hoogland <da...@gmail.com>
> wrote:
> 
> >
> > On Wed, Apr 6, 2016 at 6:58 PM, Will Stevens <ws...@cloudops.com>
> > wrote:
> >
> >> but we have to work with the ASF
> >
> >
> > ​so we can not go there tomorrow but maybe the day after. Both we and the
> > foundation​ want signed commits so in the end we can be using github for
> > this as well. As long as there is no commit access to github this
> > functionality is not for us, so this discussion is future dreams anyhow.
> >
> >
> >
> > --
> > Daan
> >

Re: GPG signing commits on Github

Posted by Will Stevens <ws...@cloudops.com>.
yes, for now.  this is something I want to work towards, but we have to be
patent and go one step at a time.

*Will STEVENS*
Lead Developer

*CloudOps* *| *Cloud Solutions Experts
420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6
w cloudops.com *|* tw @CloudOps_

On Wed, Apr 6, 2016 at 1:06 PM, Daan Hoogland <da...@gmail.com>
wrote:

>
> On Wed, Apr 6, 2016 at 6:58 PM, Will Stevens <ws...@cloudops.com>
> wrote:
>
>> but we have to work with the ASF
>
>
> ​so we can not go there tomorrow but maybe the day after. Both we and the
> foundation​ want signed commits so in the end we can be using github for
> this as well. As long as there is no commit access to github this
> functionality is not for us, so this discussion is future dreams anyhow.
>
>
>
> --
> Daan
>

Re: GPG signing commits on Github

Posted by Daan Hoogland <da...@gmail.com>.
On Wed, Apr 6, 2016 at 6:58 PM, Will Stevens <ws...@cloudops.com> wrote:

> but we have to work with the ASF


​so we can not go there tomorrow but maybe the day after. Both we and the
foundation​ want signed commits so in the end we can be using github for
this as well. As long as there is no commit access to github this
functionality is not for us, so this discussion is future dreams anyhow.



-- 
Daan

Re: GPG signing commits on Github

Posted by Will Stevens <ws...@cloudops.com>.
I am just trying to make sure we are all clear on what we are trying to
achieve.

No, we do not have committer access via Github, and in order for us to be
able to make the move the 'apache-cloudstack' org, we will need to keep it
that way (at least for now).  I am still working on getting this to happen
and the ball is in my court to involve Infra right now.

Once that move is complete we have more options, but we have to work with
the ASF to make sure they are comfortable with anything we propose.  I know
that the GPG thing is something they would not accept in the past, but i
was not involved in that discussion, so I can't really comment on that.
Also, things may have changed since that decision.

Since this is a bit of a complicated topic and there are many opinions in
play that are not specifically technical, I am just trying to make sure
that we stay on the same page as much as possible and that we look at the
problem from both sides (ours and the ASF).

*Will STEVENS*
Lead Developer

*CloudOps* *| *Cloud Solutions Experts
420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6
w cloudops.com *|* tw @CloudOps_

On Wed, Apr 6, 2016 at 11:41 AM, Rafael Weingärtner <
rafaelweingartner@gmail.com> wrote:

> Ah, ok
> I had forgotten that, my bad.
>
> On Wed, Apr 6, 2016 at 12:39 PM, Daan Hoogland <da...@gmail.com>
> wrote:
>
> > On Wed, Apr 6, 2016 at 5:37 PM, Rafael Weingärtner <
> > rafaelweingartner@gmail.com> wrote:
> >
> >> Sorry, but I did not understand. We do not have commit access to Github,
> >> right?
> >>
> > ​I think we are talking about the new to be cloudstack organisation,
> right
> > @Will?
> >
> > ​
> >
> >
> >>
> >> On Wed, Apr 6, 2016 at 12:35 PM, Daan Hoogland <daan.hoogland@gmail.com
> >
> >> wrote:
> >>
> >>> hm, no ;) We can control access to the organisation right? so we can
> >>> close it for committers that don't have a valid key. We just need to
> think
> >>> of a procedure for checking and registration.
> >>>
> >>> On Wed, Apr 6, 2016 at 5:33 PM, Will Stevens <ws...@cloudops.com>
> >>> wrote:
> >>>
> >>>> Yes, I agree with both of you.  Maybe I am not being clear.  My point
> is
> >>>> only that we can't allow commit access on Github because then we can
> not
> >>>> limit it to only valid committers who COULD commit.  Is that clearer?
> >>>>
> >>>> *Will STEVENS*
> >>>> Lead Developer
> >>>>
> >>>> *CloudOps* *| *Cloud Solutions Experts
> >>>> 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6
> >>>> w cloudops.com *|* tw @CloudOps_
> >>>>
> >>>> On Wed, Apr 6, 2016 at 11:07 AM, Rafael Weingärtner <
> >>>> rafaelweingartner@gmail.com> wrote:
> >>>>
> >>>> > I agree with Daan.
> >>>> >
> >>>> > On Wed, Apr 6, 2016 at 11:42 AM, Daan Hoogland <
> >>>> daan.hoogland@gmail.com>
> >>>> > wrote:
> >>>> >
> >>>> >> Will, we only need to be sure about the key's of committers. Only
> >>>> merge
> >>>> >> commits we need to be sure of the signature and the merger needs to
> >>>> be
> >>>> >> verify the code. He can not assure that the origin of the code is
> >>>> >> authentic
> >>>> >> but he can at least assure that the code is unchanged since
> >>>> contribution
> >>>> >> when it is signed. I don't think we need more.
> >>>> >>
> >>>> >> On Wed, Apr 6, 2016 at 4:33 PM, Will Stevens <
> wstevens@cloudops.com>
> >>>> >> wrote:
> >>>> >>
> >>>> >> > Ok, that is half.  But how do we verify that a Github user has a
> >>>> GPG key
> >>>> >> > that is matching what is registered in the ASF?  Just because you
> >>>> have a
> >>>> >> > GPG key does not mean you are an ASF committer, so the check
> would
> >>>> have
> >>>> >> to
> >>>> >> > be made to verify the GPG is registered to an ASF committer
> before
> >>>> they
> >>>> >> > would be allowed to actually commit via Github.  How would this
> be
> >>>> >> resolved?
> >>>> >> >
> >>>> >> > *Will STEVENS*
> >>>> >> > Lead Developer
> >>>> >> >
> >>>> >> > *CloudOps* *| *Cloud Solutions Experts
> >>>> >> > 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6
> >>>> >> > w cloudops.com *|* tw @CloudOps_
> >>>> >> >
> >>>> >> > On Wed, Apr 6, 2016 at 10:09 AM, Rafael Weingärtner <
> >>>> >> > rafaelweingartner@gmail.com> wrote:
> >>>> >> >
> >>>> >> >> There is a way to do that. When you become a committer, you can
> >>>> >> register a
> >>>> >> >> key at [1], then that key (public key) is loaded to [2]. The key
> >>>> is
> >>>> >> >> associated with the committer’s login. For instance, this is my
> >>>> public
> >>>> >> key
> >>>> >> >> [3].
> >>>> >> >>
> >>>> >> >> [1] id.apache.org
> >>>> >> >> [2] https://people.apache.org/keys/committer/
> >>>> >> >> [3] https://people.apache.org/keys/committer/rafael.asc
> >>>> >> >>
> >>>> >> >>
> >>>> >> >> On Wed, Apr 6, 2016 at 11:04 AM, Will Stevens <
> >>>> wstevens@cloudops.com>
> >>>> >> >> wrote:
> >>>> >> >>
> >>>> >> >> > I don't think it is quite this simple.  There would have to be
> >>>> a way
> >>>> >> for
> >>>> >> >> > the GPG key to be associated with a specific ASF identity and
> I
> >>>> don't
> >>>> >> >> think
> >>>> >> >> > that is in place at this time.  Also, there would have to be
> >>>> >> >> verification
> >>>> >> >> > that the person who is committing has a GPG key AND that they
> >>>> are a
> >>>> >> >> > committer in ASF and have an identity there.  I think there
> are
> >>>> more
> >>>> >> >> moving
> >>>> >> >> > parts here than meet the eye, but we can definitely continue
> the
> >>>> >> >> discussion
> >>>> >> >> > and see where it can lead.
> >>>> >> >> >
> >>>> >> >> > *Will STEVENS*
> >>>> >> >> > Lead Developer
> >>>> >> >> >
> >>>> >> >> > *CloudOps* *| *Cloud Solutions Experts
> >>>> >> >> > 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6
> >>>> >> >> > w cloudops.com *|* tw @CloudOps_
> >>>> >> >> >
> >>>> >> >> > On Wed, Apr 6, 2016 at 5:00 AM, Wido den Hollander <
> >>>> wido@widodh.nl>
> >>>> >> >> wrote:
> >>>> >> >> >
> >>>> >> >> > >
> >>>> >> >> > > > Op 6 april 2016 om 10:50 schreef Daan Hoogland <
> >>>> >> >> > daan.hoogland@gmail.com
> >>>> >> >> > > >:
> >>>> >> >> > > >
> >>>> >> >> > > >
> >>>> >> >> > > > Good reading for the Wednesday morning;) yes I think we
> >>>> need to
> >>>> >> go
> >>>> >> >> > there
> >>>> >> >> > > > and maybe even ask it of our contributors.
> >>>> >> >> > > >
> >>>> >> >> > >
> >>>> >> >> > > It might please the ASF since we can now prove who made the
> >>>> commit.
> >>>> >> >> If we
> >>>> >> >> > > ask
> >>>> >> >> > > all committers to upload their public key and sign their
> >>>> commits we
> >>>> >> >> can
> >>>> >> >> > > check
> >>>> >> >> > > this.
> >>>> >> >> > >
> >>>> >> >> > > For Pull Requests we can probably also add a hook/check
> which
> >>>> >> verifies
> >>>> >> >> > if a
> >>>> >> >> > > signature is present.
> >>>> >> >> > >
> >>>> >> >> > > Wido
> >>>> >> >> > >
> >>>> >> >> > > > On Wed, Apr 6, 2016 at 9:28 AM, Wido den Hollander <
> >>>> >> wido@widodh.nl>
> >>>> >> >> > > wrote:
> >>>> >> >> > > >
> >>>> >> >> > > > > Hi,
> >>>> >> >> > > > >
> >>>> >> >> > > > > Github just added [0] support for verifying GPG
> >>>> signatures of
> >>>> >> Git
> >>>> >> >> > > commits
> >>>> >> >> > > > > to the
> >>>> >> >> > > > > web interface.
> >>>> >> >> > > > >
> >>>> >> >> > > > > Under the settings page [1] you can now add your public
> >>>> GPG
> >>>> >> key so
> >>>> >> >> > > Github
> >>>> >> >> > > > > can
> >>>> >> >> > > > > verify it.
> >>>> >> >> > > > >
> >>>> >> >> > > > > It's rather simple:
> >>>> >> >> > > > >
> >>>> >> >> > > > > $ gpg --armor --export wido@widodh.nl
> >>>> >> >> > > > >
> >>>> >> >> > > > > That gave me my public key which I could export.
> >>>> >> >> > > > >
> >>>> >> >> > > > > Git already supports signing [2] commits with your key.
> >>>> >> >> > > > >
> >>>> >> >> > > > > This makes me wonder, is this something we want to
> >>>> enforce? To
> >>>> >> me
> >>>> >> >> it
> >>>> >> >> > > seems
> >>>> >> >> > > > > like
> >>>> >> >> > > > > a good thing to have.
> >>>> >> >> > > > >
> >>>> >> >> > > > > Wido
> >>>> >> >> > > > >
> >>>> >> >> > > > > [0]:
> >>>> https://github.com/blog/2144-gpg-signature-verification
> >>>> >> >> > > > > [1]: https://github.com/settings/keys
> >>>> >> >> > > > > [2]:
> >>>> >> https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work
> >>>> >> >> > > > >
> >>>> >> >> > > >
> >>>> >> >> > > >
> >>>> >> >> > > >
> >>>> >> >> > > > --
> >>>> >> >> > > > Daan
> >>>> >> >> > >
> >>>> >> >> >
> >>>> >> >>
> >>>> >> >>
> >>>> >> >>
> >>>> >> >> --
> >>>> >> >> Rafael Weingärtner
> >>>> >> >>
> >>>> >> >
> >>>> >> >
> >>>> >>
> >>>> >>
> >>>> >> --
> >>>> >> Daan
> >>>> >>
> >>>> >
> >>>> >
> >>>> >
> >>>> > --
> >>>> > Rafael Weingärtner
> >>>> >
> >>>>
> >>>
> >>>
> >>>
> >>> --
> >>> Daan
> >>>
> >>
> >>
> >>
> >> --
> >> Rafael Weingärtner
> >>
> >
> >
> >
> > --
> > Daan
> >
>
>
>
> --
> Rafael Weingärtner
>

Re: GPG signing commits on Github

Posted by Rafael Weingärtner <ra...@gmail.com>.
Ah, ok
I had forgotten that, my bad.

On Wed, Apr 6, 2016 at 12:39 PM, Daan Hoogland <da...@gmail.com>
wrote:

> On Wed, Apr 6, 2016 at 5:37 PM, Rafael Weingärtner <
> rafaelweingartner@gmail.com> wrote:
>
>> Sorry, but I did not understand. We do not have commit access to Github,
>> right?
>>
> ​I think we are talking about the new to be cloudstack organisation, right
> @Will?
>
> ​
>
>
>>
>> On Wed, Apr 6, 2016 at 12:35 PM, Daan Hoogland <da...@gmail.com>
>> wrote:
>>
>>> hm, no ;) We can control access to the organisation right? so we can
>>> close it for committers that don't have a valid key. We just need to think
>>> of a procedure for checking and registration.
>>>
>>> On Wed, Apr 6, 2016 at 5:33 PM, Will Stevens <ws...@cloudops.com>
>>> wrote:
>>>
>>>> Yes, I agree with both of you.  Maybe I am not being clear.  My point is
>>>> only that we can't allow commit access on Github because then we can not
>>>> limit it to only valid committers who COULD commit.  Is that clearer?
>>>>
>>>> *Will STEVENS*
>>>> Lead Developer
>>>>
>>>> *CloudOps* *| *Cloud Solutions Experts
>>>> 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6
>>>> w cloudops.com *|* tw @CloudOps_
>>>>
>>>> On Wed, Apr 6, 2016 at 11:07 AM, Rafael Weingärtner <
>>>> rafaelweingartner@gmail.com> wrote:
>>>>
>>>> > I agree with Daan.
>>>> >
>>>> > On Wed, Apr 6, 2016 at 11:42 AM, Daan Hoogland <
>>>> daan.hoogland@gmail.com>
>>>> > wrote:
>>>> >
>>>> >> Will, we only need to be sure about the key's of committers. Only
>>>> merge
>>>> >> commits we need to be sure of the signature and the merger needs to
>>>> be
>>>> >> verify the code. He can not assure that the origin of the code is
>>>> >> authentic
>>>> >> but he can at least assure that the code is unchanged since
>>>> contribution
>>>> >> when it is signed. I don't think we need more.
>>>> >>
>>>> >> On Wed, Apr 6, 2016 at 4:33 PM, Will Stevens <ws...@cloudops.com>
>>>> >> wrote:
>>>> >>
>>>> >> > Ok, that is half.  But how do we verify that a Github user has a
>>>> GPG key
>>>> >> > that is matching what is registered in the ASF?  Just because you
>>>> have a
>>>> >> > GPG key does not mean you are an ASF committer, so the check would
>>>> have
>>>> >> to
>>>> >> > be made to verify the GPG is registered to an ASF committer before
>>>> they
>>>> >> > would be allowed to actually commit via Github.  How would this be
>>>> >> resolved?
>>>> >> >
>>>> >> > *Will STEVENS*
>>>> >> > Lead Developer
>>>> >> >
>>>> >> > *CloudOps* *| *Cloud Solutions Experts
>>>> >> > 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6
>>>> >> > w cloudops.com *|* tw @CloudOps_
>>>> >> >
>>>> >> > On Wed, Apr 6, 2016 at 10:09 AM, Rafael Weingärtner <
>>>> >> > rafaelweingartner@gmail.com> wrote:
>>>> >> >
>>>> >> >> There is a way to do that. When you become a committer, you can
>>>> >> register a
>>>> >> >> key at [1], then that key (public key) is loaded to [2]. The key
>>>> is
>>>> >> >> associated with the committer’s login. For instance, this is my
>>>> public
>>>> >> key
>>>> >> >> [3].
>>>> >> >>
>>>> >> >> [1] id.apache.org
>>>> >> >> [2] https://people.apache.org/keys/committer/
>>>> >> >> [3] https://people.apache.org/keys/committer/rafael.asc
>>>> >> >>
>>>> >> >>
>>>> >> >> On Wed, Apr 6, 2016 at 11:04 AM, Will Stevens <
>>>> wstevens@cloudops.com>
>>>> >> >> wrote:
>>>> >> >>
>>>> >> >> > I don't think it is quite this simple.  There would have to be
>>>> a way
>>>> >> for
>>>> >> >> > the GPG key to be associated with a specific ASF identity and I
>>>> don't
>>>> >> >> think
>>>> >> >> > that is in place at this time.  Also, there would have to be
>>>> >> >> verification
>>>> >> >> > that the person who is committing has a GPG key AND that they
>>>> are a
>>>> >> >> > committer in ASF and have an identity there.  I think there are
>>>> more
>>>> >> >> moving
>>>> >> >> > parts here than meet the eye, but we can definitely continue the
>>>> >> >> discussion
>>>> >> >> > and see where it can lead.
>>>> >> >> >
>>>> >> >> > *Will STEVENS*
>>>> >> >> > Lead Developer
>>>> >> >> >
>>>> >> >> > *CloudOps* *| *Cloud Solutions Experts
>>>> >> >> > 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6
>>>> >> >> > w cloudops.com *|* tw @CloudOps_
>>>> >> >> >
>>>> >> >> > On Wed, Apr 6, 2016 at 5:00 AM, Wido den Hollander <
>>>> wido@widodh.nl>
>>>> >> >> wrote:
>>>> >> >> >
>>>> >> >> > >
>>>> >> >> > > > Op 6 april 2016 om 10:50 schreef Daan Hoogland <
>>>> >> >> > daan.hoogland@gmail.com
>>>> >> >> > > >:
>>>> >> >> > > >
>>>> >> >> > > >
>>>> >> >> > > > Good reading for the Wednesday morning;) yes I think we
>>>> need to
>>>> >> go
>>>> >> >> > there
>>>> >> >> > > > and maybe even ask it of our contributors.
>>>> >> >> > > >
>>>> >> >> > >
>>>> >> >> > > It might please the ASF since we can now prove who made the
>>>> commit.
>>>> >> >> If we
>>>> >> >> > > ask
>>>> >> >> > > all committers to upload their public key and sign their
>>>> commits we
>>>> >> >> can
>>>> >> >> > > check
>>>> >> >> > > this.
>>>> >> >> > >
>>>> >> >> > > For Pull Requests we can probably also add a hook/check which
>>>> >> verifies
>>>> >> >> > if a
>>>> >> >> > > signature is present.
>>>> >> >> > >
>>>> >> >> > > Wido
>>>> >> >> > >
>>>> >> >> > > > On Wed, Apr 6, 2016 at 9:28 AM, Wido den Hollander <
>>>> >> wido@widodh.nl>
>>>> >> >> > > wrote:
>>>> >> >> > > >
>>>> >> >> > > > > Hi,
>>>> >> >> > > > >
>>>> >> >> > > > > Github just added [0] support for verifying GPG
>>>> signatures of
>>>> >> Git
>>>> >> >> > > commits
>>>> >> >> > > > > to the
>>>> >> >> > > > > web interface.
>>>> >> >> > > > >
>>>> >> >> > > > > Under the settings page [1] you can now add your public
>>>> GPG
>>>> >> key so
>>>> >> >> > > Github
>>>> >> >> > > > > can
>>>> >> >> > > > > verify it.
>>>> >> >> > > > >
>>>> >> >> > > > > It's rather simple:
>>>> >> >> > > > >
>>>> >> >> > > > > $ gpg --armor --export wido@widodh.nl
>>>> >> >> > > > >
>>>> >> >> > > > > That gave me my public key which I could export.
>>>> >> >> > > > >
>>>> >> >> > > > > Git already supports signing [2] commits with your key.
>>>> >> >> > > > >
>>>> >> >> > > > > This makes me wonder, is this something we want to
>>>> enforce? To
>>>> >> me
>>>> >> >> it
>>>> >> >> > > seems
>>>> >> >> > > > > like
>>>> >> >> > > > > a good thing to have.
>>>> >> >> > > > >
>>>> >> >> > > > > Wido
>>>> >> >> > > > >
>>>> >> >> > > > > [0]:
>>>> https://github.com/blog/2144-gpg-signature-verification
>>>> >> >> > > > > [1]: https://github.com/settings/keys
>>>> >> >> > > > > [2]:
>>>> >> https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work
>>>> >> >> > > > >
>>>> >> >> > > >
>>>> >> >> > > >
>>>> >> >> > > >
>>>> >> >> > > > --
>>>> >> >> > > > Daan
>>>> >> >> > >
>>>> >> >> >
>>>> >> >>
>>>> >> >>
>>>> >> >>
>>>> >> >> --
>>>> >> >> Rafael Weingärtner
>>>> >> >>
>>>> >> >
>>>> >> >
>>>> >>
>>>> >>
>>>> >> --
>>>> >> Daan
>>>> >>
>>>> >
>>>> >
>>>> >
>>>> > --
>>>> > Rafael Weingärtner
>>>> >
>>>>
>>>
>>>
>>>
>>> --
>>> Daan
>>>
>>
>>
>>
>> --
>> Rafael Weingärtner
>>
>
>
>
> --
> Daan
>



-- 
Rafael Weingärtner

Re: GPG signing commits on Github

Posted by Daan Hoogland <da...@gmail.com>.
On Wed, Apr 6, 2016 at 5:37 PM, Rafael Weingärtner <
rafaelweingartner@gmail.com> wrote:

> Sorry, but I did not understand. We do not have commit access to Github,
> right?
>
​I think we are talking about the new to be cloudstack organisation, right
@Will?

​


>
> On Wed, Apr 6, 2016 at 12:35 PM, Daan Hoogland <da...@gmail.com>
> wrote:
>
>> hm, no ;) We can control access to the organisation right? so we can
>> close it for committers that don't have a valid key. We just need to think
>> of a procedure for checking and registration.
>>
>> On Wed, Apr 6, 2016 at 5:33 PM, Will Stevens <ws...@cloudops.com>
>> wrote:
>>
>>> Yes, I agree with both of you.  Maybe I am not being clear.  My point is
>>> only that we can't allow commit access on Github because then we can not
>>> limit it to only valid committers who COULD commit.  Is that clearer?
>>>
>>> *Will STEVENS*
>>> Lead Developer
>>>
>>> *CloudOps* *| *Cloud Solutions Experts
>>> 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6
>>> w cloudops.com *|* tw @CloudOps_
>>>
>>> On Wed, Apr 6, 2016 at 11:07 AM, Rafael Weingärtner <
>>> rafaelweingartner@gmail.com> wrote:
>>>
>>> > I agree with Daan.
>>> >
>>> > On Wed, Apr 6, 2016 at 11:42 AM, Daan Hoogland <
>>> daan.hoogland@gmail.com>
>>> > wrote:
>>> >
>>> >> Will, we only need to be sure about the key's of committers. Only
>>> merge
>>> >> commits we need to be sure of the signature and the merger needs to be
>>> >> verify the code. He can not assure that the origin of the code is
>>> >> authentic
>>> >> but he can at least assure that the code is unchanged since
>>> contribution
>>> >> when it is signed. I don't think we need more.
>>> >>
>>> >> On Wed, Apr 6, 2016 at 4:33 PM, Will Stevens <ws...@cloudops.com>
>>> >> wrote:
>>> >>
>>> >> > Ok, that is half.  But how do we verify that a Github user has a
>>> GPG key
>>> >> > that is matching what is registered in the ASF?  Just because you
>>> have a
>>> >> > GPG key does not mean you are an ASF committer, so the check would
>>> have
>>> >> to
>>> >> > be made to verify the GPG is registered to an ASF committer before
>>> they
>>> >> > would be allowed to actually commit via Github.  How would this be
>>> >> resolved?
>>> >> >
>>> >> > *Will STEVENS*
>>> >> > Lead Developer
>>> >> >
>>> >> > *CloudOps* *| *Cloud Solutions Experts
>>> >> > 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6
>>> >> > w cloudops.com *|* tw @CloudOps_
>>> >> >
>>> >> > On Wed, Apr 6, 2016 at 10:09 AM, Rafael Weingärtner <
>>> >> > rafaelweingartner@gmail.com> wrote:
>>> >> >
>>> >> >> There is a way to do that. When you become a committer, you can
>>> >> register a
>>> >> >> key at [1], then that key (public key) is loaded to [2]. The key is
>>> >> >> associated with the committer’s login. For instance, this is my
>>> public
>>> >> key
>>> >> >> [3].
>>> >> >>
>>> >> >> [1] id.apache.org
>>> >> >> [2] https://people.apache.org/keys/committer/
>>> >> >> [3] https://people.apache.org/keys/committer/rafael.asc
>>> >> >>
>>> >> >>
>>> >> >> On Wed, Apr 6, 2016 at 11:04 AM, Will Stevens <
>>> wstevens@cloudops.com>
>>> >> >> wrote:
>>> >> >>
>>> >> >> > I don't think it is quite this simple.  There would have to be a
>>> way
>>> >> for
>>> >> >> > the GPG key to be associated with a specific ASF identity and I
>>> don't
>>> >> >> think
>>> >> >> > that is in place at this time.  Also, there would have to be
>>> >> >> verification
>>> >> >> > that the person who is committing has a GPG key AND that they
>>> are a
>>> >> >> > committer in ASF and have an identity there.  I think there are
>>> more
>>> >> >> moving
>>> >> >> > parts here than meet the eye, but we can definitely continue the
>>> >> >> discussion
>>> >> >> > and see where it can lead.
>>> >> >> >
>>> >> >> > *Will STEVENS*
>>> >> >> > Lead Developer
>>> >> >> >
>>> >> >> > *CloudOps* *| *Cloud Solutions Experts
>>> >> >> > 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6
>>> >> >> > w cloudops.com *|* tw @CloudOps_
>>> >> >> >
>>> >> >> > On Wed, Apr 6, 2016 at 5:00 AM, Wido den Hollander <
>>> wido@widodh.nl>
>>> >> >> wrote:
>>> >> >> >
>>> >> >> > >
>>> >> >> > > > Op 6 april 2016 om 10:50 schreef Daan Hoogland <
>>> >> >> > daan.hoogland@gmail.com
>>> >> >> > > >:
>>> >> >> > > >
>>> >> >> > > >
>>> >> >> > > > Good reading for the Wednesday morning;) yes I think we need
>>> to
>>> >> go
>>> >> >> > there
>>> >> >> > > > and maybe even ask it of our contributors.
>>> >> >> > > >
>>> >> >> > >
>>> >> >> > > It might please the ASF since we can now prove who made the
>>> commit.
>>> >> >> If we
>>> >> >> > > ask
>>> >> >> > > all committers to upload their public key and sign their
>>> commits we
>>> >> >> can
>>> >> >> > > check
>>> >> >> > > this.
>>> >> >> > >
>>> >> >> > > For Pull Requests we can probably also add a hook/check which
>>> >> verifies
>>> >> >> > if a
>>> >> >> > > signature is present.
>>> >> >> > >
>>> >> >> > > Wido
>>> >> >> > >
>>> >> >> > > > On Wed, Apr 6, 2016 at 9:28 AM, Wido den Hollander <
>>> >> wido@widodh.nl>
>>> >> >> > > wrote:
>>> >> >> > > >
>>> >> >> > > > > Hi,
>>> >> >> > > > >
>>> >> >> > > > > Github just added [0] support for verifying GPG signatures
>>> of
>>> >> Git
>>> >> >> > > commits
>>> >> >> > > > > to the
>>> >> >> > > > > web interface.
>>> >> >> > > > >
>>> >> >> > > > > Under the settings page [1] you can now add your public GPG
>>> >> key so
>>> >> >> > > Github
>>> >> >> > > > > can
>>> >> >> > > > > verify it.
>>> >> >> > > > >
>>> >> >> > > > > It's rather simple:
>>> >> >> > > > >
>>> >> >> > > > > $ gpg --armor --export wido@widodh.nl
>>> >> >> > > > >
>>> >> >> > > > > That gave me my public key which I could export.
>>> >> >> > > > >
>>> >> >> > > > > Git already supports signing [2] commits with your key.
>>> >> >> > > > >
>>> >> >> > > > > This makes me wonder, is this something we want to
>>> enforce? To
>>> >> me
>>> >> >> it
>>> >> >> > > seems
>>> >> >> > > > > like
>>> >> >> > > > > a good thing to have.
>>> >> >> > > > >
>>> >> >> > > > > Wido
>>> >> >> > > > >
>>> >> >> > > > > [0]:
>>> https://github.com/blog/2144-gpg-signature-verification
>>> >> >> > > > > [1]: https://github.com/settings/keys
>>> >> >> > > > > [2]:
>>> >> https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work
>>> >> >> > > > >
>>> >> >> > > >
>>> >> >> > > >
>>> >> >> > > >
>>> >> >> > > > --
>>> >> >> > > > Daan
>>> >> >> > >
>>> >> >> >
>>> >> >>
>>> >> >>
>>> >> >>
>>> >> >> --
>>> >> >> Rafael Weingärtner
>>> >> >>
>>> >> >
>>> >> >
>>> >>
>>> >>
>>> >> --
>>> >> Daan
>>> >>
>>> >
>>> >
>>> >
>>> > --
>>> > Rafael Weingärtner
>>> >
>>>
>>
>>
>>
>> --
>> Daan
>>
>
>
>
> --
> Rafael Weingärtner
>



-- 
Daan

Re: GPG signing commits on Github

Posted by Rafael Weingärtner <ra...@gmail.com>.
Sorry, but I did not understand. We do not have commit access to Github,
right?

On Wed, Apr 6, 2016 at 12:35 PM, Daan Hoogland <da...@gmail.com>
wrote:

> hm, no ;) We can control access to the organisation right? so we can close
> it for committers that don't have a valid key. We just need to think of a
> procedure for checking and registration.
>
> On Wed, Apr 6, 2016 at 5:33 PM, Will Stevens <ws...@cloudops.com>
> wrote:
>
>> Yes, I agree with both of you.  Maybe I am not being clear.  My point is
>> only that we can't allow commit access on Github because then we can not
>> limit it to only valid committers who COULD commit.  Is that clearer?
>>
>> *Will STEVENS*
>> Lead Developer
>>
>> *CloudOps* *| *Cloud Solutions Experts
>> 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6
>> w cloudops.com *|* tw @CloudOps_
>>
>> On Wed, Apr 6, 2016 at 11:07 AM, Rafael Weingärtner <
>> rafaelweingartner@gmail.com> wrote:
>>
>> > I agree with Daan.
>> >
>> > On Wed, Apr 6, 2016 at 11:42 AM, Daan Hoogland <daan.hoogland@gmail.com
>> >
>> > wrote:
>> >
>> >> Will, we only need to be sure about the key's of committers. Only merge
>> >> commits we need to be sure of the signature and the merger needs to be
>> >> verify the code. He can not assure that the origin of the code is
>> >> authentic
>> >> but he can at least assure that the code is unchanged since
>> contribution
>> >> when it is signed. I don't think we need more.
>> >>
>> >> On Wed, Apr 6, 2016 at 4:33 PM, Will Stevens <ws...@cloudops.com>
>> >> wrote:
>> >>
>> >> > Ok, that is half.  But how do we verify that a Github user has a GPG
>> key
>> >> > that is matching what is registered in the ASF?  Just because you
>> have a
>> >> > GPG key does not mean you are an ASF committer, so the check would
>> have
>> >> to
>> >> > be made to verify the GPG is registered to an ASF committer before
>> they
>> >> > would be allowed to actually commit via Github.  How would this be
>> >> resolved?
>> >> >
>> >> > *Will STEVENS*
>> >> > Lead Developer
>> >> >
>> >> > *CloudOps* *| *Cloud Solutions Experts
>> >> > 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6
>> >> > w cloudops.com *|* tw @CloudOps_
>> >> >
>> >> > On Wed, Apr 6, 2016 at 10:09 AM, Rafael Weingärtner <
>> >> > rafaelweingartner@gmail.com> wrote:
>> >> >
>> >> >> There is a way to do that. When you become a committer, you can
>> >> register a
>> >> >> key at [1], then that key (public key) is loaded to [2]. The key is
>> >> >> associated with the committer’s login. For instance, this is my
>> public
>> >> key
>> >> >> [3].
>> >> >>
>> >> >> [1] id.apache.org
>> >> >> [2] https://people.apache.org/keys/committer/
>> >> >> [3] https://people.apache.org/keys/committer/rafael.asc
>> >> >>
>> >> >>
>> >> >> On Wed, Apr 6, 2016 at 11:04 AM, Will Stevens <
>> wstevens@cloudops.com>
>> >> >> wrote:
>> >> >>
>> >> >> > I don't think it is quite this simple.  There would have to be a
>> way
>> >> for
>> >> >> > the GPG key to be associated with a specific ASF identity and I
>> don't
>> >> >> think
>> >> >> > that is in place at this time.  Also, there would have to be
>> >> >> verification
>> >> >> > that the person who is committing has a GPG key AND that they are
>> a
>> >> >> > committer in ASF and have an identity there.  I think there are
>> more
>> >> >> moving
>> >> >> > parts here than meet the eye, but we can definitely continue the
>> >> >> discussion
>> >> >> > and see where it can lead.
>> >> >> >
>> >> >> > *Will STEVENS*
>> >> >> > Lead Developer
>> >> >> >
>> >> >> > *CloudOps* *| *Cloud Solutions Experts
>> >> >> > 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6
>> >> >> > w cloudops.com *|* tw @CloudOps_
>> >> >> >
>> >> >> > On Wed, Apr 6, 2016 at 5:00 AM, Wido den Hollander <
>> wido@widodh.nl>
>> >> >> wrote:
>> >> >> >
>> >> >> > >
>> >> >> > > > Op 6 april 2016 om 10:50 schreef Daan Hoogland <
>> >> >> > daan.hoogland@gmail.com
>> >> >> > > >:
>> >> >> > > >
>> >> >> > > >
>> >> >> > > > Good reading for the Wednesday morning;) yes I think we need
>> to
>> >> go
>> >> >> > there
>> >> >> > > > and maybe even ask it of our contributors.
>> >> >> > > >
>> >> >> > >
>> >> >> > > It might please the ASF since we can now prove who made the
>> commit.
>> >> >> If we
>> >> >> > > ask
>> >> >> > > all committers to upload their public key and sign their
>> commits we
>> >> >> can
>> >> >> > > check
>> >> >> > > this.
>> >> >> > >
>> >> >> > > For Pull Requests we can probably also add a hook/check which
>> >> verifies
>> >> >> > if a
>> >> >> > > signature is present.
>> >> >> > >
>> >> >> > > Wido
>> >> >> > >
>> >> >> > > > On Wed, Apr 6, 2016 at 9:28 AM, Wido den Hollander <
>> >> wido@widodh.nl>
>> >> >> > > wrote:
>> >> >> > > >
>> >> >> > > > > Hi,
>> >> >> > > > >
>> >> >> > > > > Github just added [0] support for verifying GPG signatures
>> of
>> >> Git
>> >> >> > > commits
>> >> >> > > > > to the
>> >> >> > > > > web interface.
>> >> >> > > > >
>> >> >> > > > > Under the settings page [1] you can now add your public GPG
>> >> key so
>> >> >> > > Github
>> >> >> > > > > can
>> >> >> > > > > verify it.
>> >> >> > > > >
>> >> >> > > > > It's rather simple:
>> >> >> > > > >
>> >> >> > > > > $ gpg --armor --export wido@widodh.nl
>> >> >> > > > >
>> >> >> > > > > That gave me my public key which I could export.
>> >> >> > > > >
>> >> >> > > > > Git already supports signing [2] commits with your key.
>> >> >> > > > >
>> >> >> > > > > This makes me wonder, is this something we want to enforce?
>> To
>> >> me
>> >> >> it
>> >> >> > > seems
>> >> >> > > > > like
>> >> >> > > > > a good thing to have.
>> >> >> > > > >
>> >> >> > > > > Wido
>> >> >> > > > >
>> >> >> > > > > [0]:
>> https://github.com/blog/2144-gpg-signature-verification
>> >> >> > > > > [1]: https://github.com/settings/keys
>> >> >> > > > > [2]:
>> >> https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work
>> >> >> > > > >
>> >> >> > > >
>> >> >> > > >
>> >> >> > > >
>> >> >> > > > --
>> >> >> > > > Daan
>> >> >> > >
>> >> >> >
>> >> >>
>> >> >>
>> >> >>
>> >> >> --
>> >> >> Rafael Weingärtner
>> >> >>
>> >> >
>> >> >
>> >>
>> >>
>> >> --
>> >> Daan
>> >>
>> >
>> >
>> >
>> > --
>> > Rafael Weingärtner
>> >
>>
>
>
>
> --
> Daan
>



-- 
Rafael Weingärtner

Re: GPG signing commits on Github

Posted by Daan Hoogland <da...@gmail.com>.
hm, no ;) We can control access to the organisation right? so we can close
it for committers that don't have a valid key. We just need to think of a
procedure for checking and registration.

On Wed, Apr 6, 2016 at 5:33 PM, Will Stevens <ws...@cloudops.com> wrote:

> Yes, I agree with both of you.  Maybe I am not being clear.  My point is
> only that we can't allow commit access on Github because then we can not
> limit it to only valid committers who COULD commit.  Is that clearer?
>
> *Will STEVENS*
> Lead Developer
>
> *CloudOps* *| *Cloud Solutions Experts
> 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6
> w cloudops.com *|* tw @CloudOps_
>
> On Wed, Apr 6, 2016 at 11:07 AM, Rafael Weingärtner <
> rafaelweingartner@gmail.com> wrote:
>
> > I agree with Daan.
> >
> > On Wed, Apr 6, 2016 at 11:42 AM, Daan Hoogland <da...@gmail.com>
> > wrote:
> >
> >> Will, we only need to be sure about the key's of committers. Only merge
> >> commits we need to be sure of the signature and the merger needs to be
> >> verify the code. He can not assure that the origin of the code is
> >> authentic
> >> but he can at least assure that the code is unchanged since contribution
> >> when it is signed. I don't think we need more.
> >>
> >> On Wed, Apr 6, 2016 at 4:33 PM, Will Stevens <ws...@cloudops.com>
> >> wrote:
> >>
> >> > Ok, that is half.  But how do we verify that a Github user has a GPG
> key
> >> > that is matching what is registered in the ASF?  Just because you
> have a
> >> > GPG key does not mean you are an ASF committer, so the check would
> have
> >> to
> >> > be made to verify the GPG is registered to an ASF committer before
> they
> >> > would be allowed to actually commit via Github.  How would this be
> >> resolved?
> >> >
> >> > *Will STEVENS*
> >> > Lead Developer
> >> >
> >> > *CloudOps* *| *Cloud Solutions Experts
> >> > 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6
> >> > w cloudops.com *|* tw @CloudOps_
> >> >
> >> > On Wed, Apr 6, 2016 at 10:09 AM, Rafael Weingärtner <
> >> > rafaelweingartner@gmail.com> wrote:
> >> >
> >> >> There is a way to do that. When you become a committer, you can
> >> register a
> >> >> key at [1], then that key (public key) is loaded to [2]. The key is
> >> >> associated with the committer’s login. For instance, this is my
> public
> >> key
> >> >> [3].
> >> >>
> >> >> [1] id.apache.org
> >> >> [2] https://people.apache.org/keys/committer/
> >> >> [3] https://people.apache.org/keys/committer/rafael.asc
> >> >>
> >> >>
> >> >> On Wed, Apr 6, 2016 at 11:04 AM, Will Stevens <wstevens@cloudops.com
> >
> >> >> wrote:
> >> >>
> >> >> > I don't think it is quite this simple.  There would have to be a
> way
> >> for
> >> >> > the GPG key to be associated with a specific ASF identity and I
> don't
> >> >> think
> >> >> > that is in place at this time.  Also, there would have to be
> >> >> verification
> >> >> > that the person who is committing has a GPG key AND that they are a
> >> >> > committer in ASF and have an identity there.  I think there are
> more
> >> >> moving
> >> >> > parts here than meet the eye, but we can definitely continue the
> >> >> discussion
> >> >> > and see where it can lead.
> >> >> >
> >> >> > *Will STEVENS*
> >> >> > Lead Developer
> >> >> >
> >> >> > *CloudOps* *| *Cloud Solutions Experts
> >> >> > 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6
> >> >> > w cloudops.com *|* tw @CloudOps_
> >> >> >
> >> >> > On Wed, Apr 6, 2016 at 5:00 AM, Wido den Hollander <wido@widodh.nl
> >
> >> >> wrote:
> >> >> >
> >> >> > >
> >> >> > > > Op 6 april 2016 om 10:50 schreef Daan Hoogland <
> >> >> > daan.hoogland@gmail.com
> >> >> > > >:
> >> >> > > >
> >> >> > > >
> >> >> > > > Good reading for the Wednesday morning;) yes I think we need to
> >> go
> >> >> > there
> >> >> > > > and maybe even ask it of our contributors.
> >> >> > > >
> >> >> > >
> >> >> > > It might please the ASF since we can now prove who made the
> commit.
> >> >> If we
> >> >> > > ask
> >> >> > > all committers to upload their public key and sign their commits
> we
> >> >> can
> >> >> > > check
> >> >> > > this.
> >> >> > >
> >> >> > > For Pull Requests we can probably also add a hook/check which
> >> verifies
> >> >> > if a
> >> >> > > signature is present.
> >> >> > >
> >> >> > > Wido
> >> >> > >
> >> >> > > > On Wed, Apr 6, 2016 at 9:28 AM, Wido den Hollander <
> >> wido@widodh.nl>
> >> >> > > wrote:
> >> >> > > >
> >> >> > > > > Hi,
> >> >> > > > >
> >> >> > > > > Github just added [0] support for verifying GPG signatures of
> >> Git
> >> >> > > commits
> >> >> > > > > to the
> >> >> > > > > web interface.
> >> >> > > > >
> >> >> > > > > Under the settings page [1] you can now add your public GPG
> >> key so
> >> >> > > Github
> >> >> > > > > can
> >> >> > > > > verify it.
> >> >> > > > >
> >> >> > > > > It's rather simple:
> >> >> > > > >
> >> >> > > > > $ gpg --armor --export wido@widodh.nl
> >> >> > > > >
> >> >> > > > > That gave me my public key which I could export.
> >> >> > > > >
> >> >> > > > > Git already supports signing [2] commits with your key.
> >> >> > > > >
> >> >> > > > > This makes me wonder, is this something we want to enforce?
> To
> >> me
> >> >> it
> >> >> > > seems
> >> >> > > > > like
> >> >> > > > > a good thing to have.
> >> >> > > > >
> >> >> > > > > Wido
> >> >> > > > >
> >> >> > > > > [0]: https://github.com/blog/2144-gpg-signature-verification
> >> >> > > > > [1]: https://github.com/settings/keys
> >> >> > > > > [2]:
> >> https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work
> >> >> > > > >
> >> >> > > >
> >> >> > > >
> >> >> > > >
> >> >> > > > --
> >> >> > > > Daan
> >> >> > >
> >> >> >
> >> >>
> >> >>
> >> >>
> >> >> --
> >> >> Rafael Weingärtner
> >> >>
> >> >
> >> >
> >>
> >>
> >> --
> >> Daan
> >>
> >
> >
> >
> > --
> > Rafael Weingärtner
> >
>



-- 
Daan

Re: GPG signing commits on Github

Posted by Will Stevens <ws...@cloudops.com>.
Yes, I agree with both of you.  Maybe I am not being clear.  My point is
only that we can't allow commit access on Github because then we can not
limit it to only valid committers who COULD commit.  Is that clearer?

*Will STEVENS*
Lead Developer

*CloudOps* *| *Cloud Solutions Experts
420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6
w cloudops.com *|* tw @CloudOps_

On Wed, Apr 6, 2016 at 11:07 AM, Rafael Weingärtner <
rafaelweingartner@gmail.com> wrote:

> I agree with Daan.
>
> On Wed, Apr 6, 2016 at 11:42 AM, Daan Hoogland <da...@gmail.com>
> wrote:
>
>> Will, we only need to be sure about the key's of committers. Only merge
>> commits we need to be sure of the signature and the merger needs to be
>> verify the code. He can not assure that the origin of the code is
>> authentic
>> but he can at least assure that the code is unchanged since contribution
>> when it is signed. I don't think we need more.
>>
>> On Wed, Apr 6, 2016 at 4:33 PM, Will Stevens <ws...@cloudops.com>
>> wrote:
>>
>> > Ok, that is half.  But how do we verify that a Github user has a GPG key
>> > that is matching what is registered in the ASF?  Just because you have a
>> > GPG key does not mean you are an ASF committer, so the check would have
>> to
>> > be made to verify the GPG is registered to an ASF committer before they
>> > would be allowed to actually commit via Github.  How would this be
>> resolved?
>> >
>> > *Will STEVENS*
>> > Lead Developer
>> >
>> > *CloudOps* *| *Cloud Solutions Experts
>> > 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6
>> > w cloudops.com *|* tw @CloudOps_
>> >
>> > On Wed, Apr 6, 2016 at 10:09 AM, Rafael Weingärtner <
>> > rafaelweingartner@gmail.com> wrote:
>> >
>> >> There is a way to do that. When you become a committer, you can
>> register a
>> >> key at [1], then that key (public key) is loaded to [2]. The key is
>> >> associated with the committer’s login. For instance, this is my public
>> key
>> >> [3].
>> >>
>> >> [1] id.apache.org
>> >> [2] https://people.apache.org/keys/committer/
>> >> [3] https://people.apache.org/keys/committer/rafael.asc
>> >>
>> >>
>> >> On Wed, Apr 6, 2016 at 11:04 AM, Will Stevens <ws...@cloudops.com>
>> >> wrote:
>> >>
>> >> > I don't think it is quite this simple.  There would have to be a way
>> for
>> >> > the GPG key to be associated with a specific ASF identity and I don't
>> >> think
>> >> > that is in place at this time.  Also, there would have to be
>> >> verification
>> >> > that the person who is committing has a GPG key AND that they are a
>> >> > committer in ASF and have an identity there.  I think there are more
>> >> moving
>> >> > parts here than meet the eye, but we can definitely continue the
>> >> discussion
>> >> > and see where it can lead.
>> >> >
>> >> > *Will STEVENS*
>> >> > Lead Developer
>> >> >
>> >> > *CloudOps* *| *Cloud Solutions Experts
>> >> > 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6
>> >> > w cloudops.com *|* tw @CloudOps_
>> >> >
>> >> > On Wed, Apr 6, 2016 at 5:00 AM, Wido den Hollander <wi...@widodh.nl>
>> >> wrote:
>> >> >
>> >> > >
>> >> > > > Op 6 april 2016 om 10:50 schreef Daan Hoogland <
>> >> > daan.hoogland@gmail.com
>> >> > > >:
>> >> > > >
>> >> > > >
>> >> > > > Good reading for the Wednesday morning;) yes I think we need to
>> go
>> >> > there
>> >> > > > and maybe even ask it of our contributors.
>> >> > > >
>> >> > >
>> >> > > It might please the ASF since we can now prove who made the commit.
>> >> If we
>> >> > > ask
>> >> > > all committers to upload their public key and sign their commits we
>> >> can
>> >> > > check
>> >> > > this.
>> >> > >
>> >> > > For Pull Requests we can probably also add a hook/check which
>> verifies
>> >> > if a
>> >> > > signature is present.
>> >> > >
>> >> > > Wido
>> >> > >
>> >> > > > On Wed, Apr 6, 2016 at 9:28 AM, Wido den Hollander <
>> wido@widodh.nl>
>> >> > > wrote:
>> >> > > >
>> >> > > > > Hi,
>> >> > > > >
>> >> > > > > Github just added [0] support for verifying GPG signatures of
>> Git
>> >> > > commits
>> >> > > > > to the
>> >> > > > > web interface.
>> >> > > > >
>> >> > > > > Under the settings page [1] you can now add your public GPG
>> key so
>> >> > > Github
>> >> > > > > can
>> >> > > > > verify it.
>> >> > > > >
>> >> > > > > It's rather simple:
>> >> > > > >
>> >> > > > > $ gpg --armor --export wido@widodh.nl
>> >> > > > >
>> >> > > > > That gave me my public key which I could export.
>> >> > > > >
>> >> > > > > Git already supports signing [2] commits with your key.
>> >> > > > >
>> >> > > > > This makes me wonder, is this something we want to enforce? To
>> me
>> >> it
>> >> > > seems
>> >> > > > > like
>> >> > > > > a good thing to have.
>> >> > > > >
>> >> > > > > Wido
>> >> > > > >
>> >> > > > > [0]: https://github.com/blog/2144-gpg-signature-verification
>> >> > > > > [1]: https://github.com/settings/keys
>> >> > > > > [2]:
>> https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work
>> >> > > > >
>> >> > > >
>> >> > > >
>> >> > > >
>> >> > > > --
>> >> > > > Daan
>> >> > >
>> >> >
>> >>
>> >>
>> >>
>> >> --
>> >> Rafael Weingärtner
>> >>
>> >
>> >
>>
>>
>> --
>> Daan
>>
>
>
>
> --
> Rafael Weingärtner
>

Re: GPG signing commits on Github

Posted by Rafael Weingärtner <ra...@gmail.com>.
I agree with Daan.

On Wed, Apr 6, 2016 at 11:42 AM, Daan Hoogland <da...@gmail.com>
wrote:

> Will, we only need to be sure about the key's of committers. Only merge
> commits we need to be sure of the signature and the merger needs to be
> verify the code. He can not assure that the origin of the code is authentic
> but he can at least assure that the code is unchanged since contribution
> when it is signed. I don't think we need more.
>
> On Wed, Apr 6, 2016 at 4:33 PM, Will Stevens <ws...@cloudops.com>
> wrote:
>
> > Ok, that is half.  But how do we verify that a Github user has a GPG key
> > that is matching what is registered in the ASF?  Just because you have a
> > GPG key does not mean you are an ASF committer, so the check would have
> to
> > be made to verify the GPG is registered to an ASF committer before they
> > would be allowed to actually commit via Github.  How would this be
> resolved?
> >
> > *Will STEVENS*
> > Lead Developer
> >
> > *CloudOps* *| *Cloud Solutions Experts
> > 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6
> > w cloudops.com *|* tw @CloudOps_
> >
> > On Wed, Apr 6, 2016 at 10:09 AM, Rafael Weingärtner <
> > rafaelweingartner@gmail.com> wrote:
> >
> >> There is a way to do that. When you become a committer, you can
> register a
> >> key at [1], then that key (public key) is loaded to [2]. The key is
> >> associated with the committer’s login. For instance, this is my public
> key
> >> [3].
> >>
> >> [1] id.apache.org
> >> [2] https://people.apache.org/keys/committer/
> >> [3] https://people.apache.org/keys/committer/rafael.asc
> >>
> >>
> >> On Wed, Apr 6, 2016 at 11:04 AM, Will Stevens <ws...@cloudops.com>
> >> wrote:
> >>
> >> > I don't think it is quite this simple.  There would have to be a way
> for
> >> > the GPG key to be associated with a specific ASF identity and I don't
> >> think
> >> > that is in place at this time.  Also, there would have to be
> >> verification
> >> > that the person who is committing has a GPG key AND that they are a
> >> > committer in ASF and have an identity there.  I think there are more
> >> moving
> >> > parts here than meet the eye, but we can definitely continue the
> >> discussion
> >> > and see where it can lead.
> >> >
> >> > *Will STEVENS*
> >> > Lead Developer
> >> >
> >> > *CloudOps* *| *Cloud Solutions Experts
> >> > 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6
> >> > w cloudops.com *|* tw @CloudOps_
> >> >
> >> > On Wed, Apr 6, 2016 at 5:00 AM, Wido den Hollander <wi...@widodh.nl>
> >> wrote:
> >> >
> >> > >
> >> > > > Op 6 april 2016 om 10:50 schreef Daan Hoogland <
> >> > daan.hoogland@gmail.com
> >> > > >:
> >> > > >
> >> > > >
> >> > > > Good reading for the Wednesday morning;) yes I think we need to go
> >> > there
> >> > > > and maybe even ask it of our contributors.
> >> > > >
> >> > >
> >> > > It might please the ASF since we can now prove who made the commit.
> >> If we
> >> > > ask
> >> > > all committers to upload their public key and sign their commits we
> >> can
> >> > > check
> >> > > this.
> >> > >
> >> > > For Pull Requests we can probably also add a hook/check which
> verifies
> >> > if a
> >> > > signature is present.
> >> > >
> >> > > Wido
> >> > >
> >> > > > On Wed, Apr 6, 2016 at 9:28 AM, Wido den Hollander <
> wido@widodh.nl>
> >> > > wrote:
> >> > > >
> >> > > > > Hi,
> >> > > > >
> >> > > > > Github just added [0] support for verifying GPG signatures of
> Git
> >> > > commits
> >> > > > > to the
> >> > > > > web interface.
> >> > > > >
> >> > > > > Under the settings page [1] you can now add your public GPG key
> so
> >> > > Github
> >> > > > > can
> >> > > > > verify it.
> >> > > > >
> >> > > > > It's rather simple:
> >> > > > >
> >> > > > > $ gpg --armor --export wido@widodh.nl
> >> > > > >
> >> > > > > That gave me my public key which I could export.
> >> > > > >
> >> > > > > Git already supports signing [2] commits with your key.
> >> > > > >
> >> > > > > This makes me wonder, is this something we want to enforce? To
> me
> >> it
> >> > > seems
> >> > > > > like
> >> > > > > a good thing to have.
> >> > > > >
> >> > > > > Wido
> >> > > > >
> >> > > > > [0]: https://github.com/blog/2144-gpg-signature-verification
> >> > > > > [1]: https://github.com/settings/keys
> >> > > > > [2]: https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work
> >> > > > >
> >> > > >
> >> > > >
> >> > > >
> >> > > > --
> >> > > > Daan
> >> > >
> >> >
> >>
> >>
> >>
> >> --
> >> Rafael Weingärtner
> >>
> >
> >
>
>
> --
> Daan
>



-- 
Rafael Weingärtner

Re: GPG signing commits on Github

Posted by Daan Hoogland <da...@gmail.com>.
Will, we only need to be sure about the key's of committers. Only merge
commits we need to be sure of the signature and the merger needs to be
verify the code. He can not assure that the origin of the code is authentic
but he can at least assure that the code is unchanged since contribution
when it is signed. I don't think we need more.

On Wed, Apr 6, 2016 at 4:33 PM, Will Stevens <ws...@cloudops.com> wrote:

> Ok, that is half.  But how do we verify that a Github user has a GPG key
> that is matching what is registered in the ASF?  Just because you have a
> GPG key does not mean you are an ASF committer, so the check would have to
> be made to verify the GPG is registered to an ASF committer before they
> would be allowed to actually commit via Github.  How would this be resolved?
>
> *Will STEVENS*
> Lead Developer
>
> *CloudOps* *| *Cloud Solutions Experts
> 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6
> w cloudops.com *|* tw @CloudOps_
>
> On Wed, Apr 6, 2016 at 10:09 AM, Rafael Weingärtner <
> rafaelweingartner@gmail.com> wrote:
>
>> There is a way to do that. When you become a committer, you can register a
>> key at [1], then that key (public key) is loaded to [2]. The key is
>> associated with the committer’s login. For instance, this is my public key
>> [3].
>>
>> [1] id.apache.org
>> [2] https://people.apache.org/keys/committer/
>> [3] https://people.apache.org/keys/committer/rafael.asc
>>
>>
>> On Wed, Apr 6, 2016 at 11:04 AM, Will Stevens <ws...@cloudops.com>
>> wrote:
>>
>> > I don't think it is quite this simple.  There would have to be a way for
>> > the GPG key to be associated with a specific ASF identity and I don't
>> think
>> > that is in place at this time.  Also, there would have to be
>> verification
>> > that the person who is committing has a GPG key AND that they are a
>> > committer in ASF and have an identity there.  I think there are more
>> moving
>> > parts here than meet the eye, but we can definitely continue the
>> discussion
>> > and see where it can lead.
>> >
>> > *Will STEVENS*
>> > Lead Developer
>> >
>> > *CloudOps* *| *Cloud Solutions Experts
>> > 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6
>> > w cloudops.com *|* tw @CloudOps_
>> >
>> > On Wed, Apr 6, 2016 at 5:00 AM, Wido den Hollander <wi...@widodh.nl>
>> wrote:
>> >
>> > >
>> > > > Op 6 april 2016 om 10:50 schreef Daan Hoogland <
>> > daan.hoogland@gmail.com
>> > > >:
>> > > >
>> > > >
>> > > > Good reading for the Wednesday morning;) yes I think we need to go
>> > there
>> > > > and maybe even ask it of our contributors.
>> > > >
>> > >
>> > > It might please the ASF since we can now prove who made the commit.
>> If we
>> > > ask
>> > > all committers to upload their public key and sign their commits we
>> can
>> > > check
>> > > this.
>> > >
>> > > For Pull Requests we can probably also add a hook/check which verifies
>> > if a
>> > > signature is present.
>> > >
>> > > Wido
>> > >
>> > > > On Wed, Apr 6, 2016 at 9:28 AM, Wido den Hollander <wi...@widodh.nl>
>> > > wrote:
>> > > >
>> > > > > Hi,
>> > > > >
>> > > > > Github just added [0] support for verifying GPG signatures of Git
>> > > commits
>> > > > > to the
>> > > > > web interface.
>> > > > >
>> > > > > Under the settings page [1] you can now add your public GPG key so
>> > > Github
>> > > > > can
>> > > > > verify it.
>> > > > >
>> > > > > It's rather simple:
>> > > > >
>> > > > > $ gpg --armor --export wido@widodh.nl
>> > > > >
>> > > > > That gave me my public key which I could export.
>> > > > >
>> > > > > Git already supports signing [2] commits with your key.
>> > > > >
>> > > > > This makes me wonder, is this something we want to enforce? To me
>> it
>> > > seems
>> > > > > like
>> > > > > a good thing to have.
>> > > > >
>> > > > > Wido
>> > > > >
>> > > > > [0]: https://github.com/blog/2144-gpg-signature-verification
>> > > > > [1]: https://github.com/settings/keys
>> > > > > [2]: https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work
>> > > > >
>> > > >
>> > > >
>> > > >
>> > > > --
>> > > > Daan
>> > >
>> >
>>
>>
>>
>> --
>> Rafael Weingärtner
>>
>
>


-- 
Daan

Re: GPG signing commits on Github

Posted by Will Stevens <ws...@cloudops.com>.
Ok, that is half.  But how do we verify that a Github user has a GPG key
that is matching what is registered in the ASF?  Just because you have a
GPG key does not mean you are an ASF committer, so the check would have to
be made to verify the GPG is registered to an ASF committer before they
would be allowed to actually commit via Github.  How would this be resolved?

*Will STEVENS*
Lead Developer

*CloudOps* *| *Cloud Solutions Experts
420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6
w cloudops.com *|* tw @CloudOps_

On Wed, Apr 6, 2016 at 10:09 AM, Rafael Weingärtner <
rafaelweingartner@gmail.com> wrote:

> There is a way to do that. When you become a committer, you can register a
> key at [1], then that key (public key) is loaded to [2]. The key is
> associated with the committer’s login. For instance, this is my public key
> [3].
>
> [1] id.apache.org
> [2] https://people.apache.org/keys/committer/
> [3] https://people.apache.org/keys/committer/rafael.asc
>
>
> On Wed, Apr 6, 2016 at 11:04 AM, Will Stevens <ws...@cloudops.com>
> wrote:
>
> > I don't think it is quite this simple.  There would have to be a way for
> > the GPG key to be associated with a specific ASF identity and I don't
> think
> > that is in place at this time.  Also, there would have to be verification
> > that the person who is committing has a GPG key AND that they are a
> > committer in ASF and have an identity there.  I think there are more
> moving
> > parts here than meet the eye, but we can definitely continue the
> discussion
> > and see where it can lead.
> >
> > *Will STEVENS*
> > Lead Developer
> >
> > *CloudOps* *| *Cloud Solutions Experts
> > 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6
> > w cloudops.com *|* tw @CloudOps_
> >
> > On Wed, Apr 6, 2016 at 5:00 AM, Wido den Hollander <wi...@widodh.nl>
> wrote:
> >
> > >
> > > > Op 6 april 2016 om 10:50 schreef Daan Hoogland <
> > daan.hoogland@gmail.com
> > > >:
> > > >
> > > >
> > > > Good reading for the Wednesday morning;) yes I think we need to go
> > there
> > > > and maybe even ask it of our contributors.
> > > >
> > >
> > > It might please the ASF since we can now prove who made the commit. If
> we
> > > ask
> > > all committers to upload their public key and sign their commits we can
> > > check
> > > this.
> > >
> > > For Pull Requests we can probably also add a hook/check which verifies
> > if a
> > > signature is present.
> > >
> > > Wido
> > >
> > > > On Wed, Apr 6, 2016 at 9:28 AM, Wido den Hollander <wi...@widodh.nl>
> > > wrote:
> > > >
> > > > > Hi,
> > > > >
> > > > > Github just added [0] support for verifying GPG signatures of Git
> > > commits
> > > > > to the
> > > > > web interface.
> > > > >
> > > > > Under the settings page [1] you can now add your public GPG key so
> > > Github
> > > > > can
> > > > > verify it.
> > > > >
> > > > > It's rather simple:
> > > > >
> > > > > $ gpg --armor --export wido@widodh.nl
> > > > >
> > > > > That gave me my public key which I could export.
> > > > >
> > > > > Git already supports signing [2] commits with your key.
> > > > >
> > > > > This makes me wonder, is this something we want to enforce? To me
> it
> > > seems
> > > > > like
> > > > > a good thing to have.
> > > > >
> > > > > Wido
> > > > >
> > > > > [0]: https://github.com/blog/2144-gpg-signature-verification
> > > > > [1]: https://github.com/settings/keys
> > > > > [2]: https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work
> > > > >
> > > >
> > > >
> > > >
> > > > --
> > > > Daan
> > >
> >
>
>
>
> --
> Rafael Weingärtner
>

Re: GPG signing commits on Github

Posted by Rafael Weingärtner <ra...@gmail.com>.
There is a way to do that. When you become a committer, you can register a
key at [1], then that key (public key) is loaded to [2]. The key is
associated with the committer’s login. For instance, this is my public key
[3].

[1] id.apache.org
[2] https://people.apache.org/keys/committer/
[3] https://people.apache.org/keys/committer/rafael.asc


On Wed, Apr 6, 2016 at 11:04 AM, Will Stevens <ws...@cloudops.com> wrote:

> I don't think it is quite this simple.  There would have to be a way for
> the GPG key to be associated with a specific ASF identity and I don't think
> that is in place at this time.  Also, there would have to be verification
> that the person who is committing has a GPG key AND that they are a
> committer in ASF and have an identity there.  I think there are more moving
> parts here than meet the eye, but we can definitely continue the discussion
> and see where it can lead.
>
> *Will STEVENS*
> Lead Developer
>
> *CloudOps* *| *Cloud Solutions Experts
> 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6
> w cloudops.com *|* tw @CloudOps_
>
> On Wed, Apr 6, 2016 at 5:00 AM, Wido den Hollander <wi...@widodh.nl> wrote:
>
> >
> > > Op 6 april 2016 om 10:50 schreef Daan Hoogland <
> daan.hoogland@gmail.com
> > >:
> > >
> > >
> > > Good reading for the Wednesday morning;) yes I think we need to go
> there
> > > and maybe even ask it of our contributors.
> > >
> >
> > It might please the ASF since we can now prove who made the commit. If we
> > ask
> > all committers to upload their public key and sign their commits we can
> > check
> > this.
> >
> > For Pull Requests we can probably also add a hook/check which verifies
> if a
> > signature is present.
> >
> > Wido
> >
> > > On Wed, Apr 6, 2016 at 9:28 AM, Wido den Hollander <wi...@widodh.nl>
> > wrote:
> > >
> > > > Hi,
> > > >
> > > > Github just added [0] support for verifying GPG signatures of Git
> > commits
> > > > to the
> > > > web interface.
> > > >
> > > > Under the settings page [1] you can now add your public GPG key so
> > Github
> > > > can
> > > > verify it.
> > > >
> > > > It's rather simple:
> > > >
> > > > $ gpg --armor --export wido@widodh.nl
> > > >
> > > > That gave me my public key which I could export.
> > > >
> > > > Git already supports signing [2] commits with your key.
> > > >
> > > > This makes me wonder, is this something we want to enforce? To me it
> > seems
> > > > like
> > > > a good thing to have.
> > > >
> > > > Wido
> > > >
> > > > [0]: https://github.com/blog/2144-gpg-signature-verification
> > > > [1]: https://github.com/settings/keys
> > > > [2]: https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work
> > > >
> > >
> > >
> > >
> > > --
> > > Daan
> >
>



-- 
Rafael Weingärtner

Re: GPG signing commits on Github

Posted by Will Stevens <ws...@cloudops.com>.
I don't think it is quite this simple.  There would have to be a way for
the GPG key to be associated with a specific ASF identity and I don't think
that is in place at this time.  Also, there would have to be verification
that the person who is committing has a GPG key AND that they are a
committer in ASF and have an identity there.  I think there are more moving
parts here than meet the eye, but we can definitely continue the discussion
and see where it can lead.

*Will STEVENS*
Lead Developer

*CloudOps* *| *Cloud Solutions Experts
420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6
w cloudops.com *|* tw @CloudOps_

On Wed, Apr 6, 2016 at 5:00 AM, Wido den Hollander <wi...@widodh.nl> wrote:

>
> > Op 6 april 2016 om 10:50 schreef Daan Hoogland <daan.hoogland@gmail.com
> >:
> >
> >
> > Good reading for the Wednesday morning;) yes I think we need to go there
> > and maybe even ask it of our contributors.
> >
>
> It might please the ASF since we can now prove who made the commit. If we
> ask
> all committers to upload their public key and sign their commits we can
> check
> this.
>
> For Pull Requests we can probably also add a hook/check which verifies if a
> signature is present.
>
> Wido
>
> > On Wed, Apr 6, 2016 at 9:28 AM, Wido den Hollander <wi...@widodh.nl>
> wrote:
> >
> > > Hi,
> > >
> > > Github just added [0] support for verifying GPG signatures of Git
> commits
> > > to the
> > > web interface.
> > >
> > > Under the settings page [1] you can now add your public GPG key so
> Github
> > > can
> > > verify it.
> > >
> > > It's rather simple:
> > >
> > > $ gpg --armor --export wido@widodh.nl
> > >
> > > That gave me my public key which I could export.
> > >
> > > Git already supports signing [2] commits with your key.
> > >
> > > This makes me wonder, is this something we want to enforce? To me it
> seems
> > > like
> > > a good thing to have.
> > >
> > > Wido
> > >
> > > [0]: https://github.com/blog/2144-gpg-signature-verification
> > > [1]: https://github.com/settings/keys
> > > [2]: https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work
> > >
> >
> >
> >
> > --
> > Daan
>

Re: GPG signing commits on Github

Posted by Daan Hoogland <da...@gmail.com>.
On Wed, Apr 6, 2016 at 11:00 AM, Wido den Hollander <wi...@widodh.nl> wrote:

>
> > Op 6 april 2016 om 10:50 schreef Daan Hoogland <daan.hoogland@gmail.com
> >:
> >
> >
> > Good reading for the Wednesday morning;) yes I think we need to go there
> > and maybe even ask it of our contributors.
> >
>
> It might please the ASF since we can now prove who made the commit. If we
> ask
> all committers to upload their public key and sign their commits we can
> check
> this.
>
> For Pull Requests we can probably also add a hook/check which verifies if a
> signature is present.
>
​and revoke/allow committer acces​
​s to the organisation based on it​

​...

life is great.
​

>
> Wido
>
> > On Wed, Apr 6, 2016 at 9:28 AM, Wido den Hollander <wi...@widodh.nl>
> wrote:
> >
> > > Hi,
> > >
> > > Github just added [0] support for verifying GPG signatures of Git
> commits
> > > to the
> > > web interface.
> > >
> > > Under the settings page [1] you can now add your public GPG key so
> Github
> > > can
> > > verify it.
> > >
> > > It's rather simple:
> > >
> > > $ gpg --armor --export wido@widodh.nl
> > >
> > > That gave me my public key which I could export.
> > >
> > > Git already supports signing [2] commits with your key.
> > >
> > > This makes me wonder, is this something we want to enforce? To me it
> seems
> > > like
> > > a good thing to have.
> > >
> > > Wido
> > >
> > > [0]: https://github.com/blog/2144-gpg-signature-verification
> > > [1]: https://github.com/settings/keys
> > > [2]: https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work
> > >
> >
> >
> >
> > --
> > Daan
>



-- 
Daan

Re: GPG signing commits on Github

Posted by Wido den Hollander <wi...@widodh.nl>.
> Op 6 april 2016 om 10:50 schreef Daan Hoogland <da...@gmail.com>:
> 
> 
> Good reading for the Wednesday morning;) yes I think we need to go there
> and maybe even ask it of our contributors.
> 

It might please the ASF since we can now prove who made the commit. If we ask
all committers to upload their public key and sign their commits we can check
this.

For Pull Requests we can probably also add a hook/check which verifies if a
signature is present.

Wido 

> On Wed, Apr 6, 2016 at 9:28 AM, Wido den Hollander <wi...@widodh.nl> wrote:
> 
> > Hi,
> >
> > Github just added [0] support for verifying GPG signatures of Git commits
> > to the
> > web interface.
> >
> > Under the settings page [1] you can now add your public GPG key so Github
> > can
> > verify it.
> >
> > It's rather simple:
> >
> > $ gpg --armor --export wido@widodh.nl
> >
> > That gave me my public key which I could export.
> >
> > Git already supports signing [2] commits with your key.
> >
> > This makes me wonder, is this something we want to enforce? To me it seems
> > like
> > a good thing to have.
> >
> > Wido
> >
> > [0]: https://github.com/blog/2144-gpg-signature-verification
> > [1]: https://github.com/settings/keys
> > [2]: https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work
> >
> 
> 
> 
> -- 
> Daan

Re: GPG signing commits on Github

Posted by Daan Hoogland <da...@gmail.com>.
Good reading for the Wednesday morning;) yes I think we need to go there
and maybe even ask it of our contributors.

On Wed, Apr 6, 2016 at 9:28 AM, Wido den Hollander <wi...@widodh.nl> wrote:

> Hi,
>
> Github just added [0] support for verifying GPG signatures of Git commits
> to the
> web interface.
>
> Under the settings page [1] you can now add your public GPG key so Github
> can
> verify it.
>
> It's rather simple:
>
> $ gpg --armor --export wido@widodh.nl
>
> That gave me my public key which I could export.
>
> Git already supports signing [2] commits with your key.
>
> This makes me wonder, is this something we want to enforce? To me it seems
> like
> a good thing to have.
>
> Wido
>
> [0]: https://github.com/blog/2144-gpg-signature-verification
> [1]: https://github.com/settings/keys
> [2]: https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work
>



-- 
Daan