You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@openwhisk.apache.org by Rodric Rabbah <ro...@gmail.com> on 2018/07/10 15:41:28 UTC
should we enable signed commits on our github repos?
Who knows why we haven't enabled signed commits on the apache repos -
should we require all commits to be signed?
-r
Ref: https://help.github.com/articles/signing-commits-using-gpg/
Re: should we enable signed commits on our github repos?
Posted by Bertrand Delacretaz <bd...@apache.org>.
Hi,
On Tue, Jul 10, 2018 at 6:23 PM Rodric Rabbah <ro...@gmail.com> wrote:
> ...working with @vincent to
> publish his key to avoid this:
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg: There is no indication that the signature belongs to the
> owner....
I'm not sure if this is related to GitHub, AFAIK what's happening is
that Vincent's GPG key is not signed by other people in a way that
creates a chain of signatures to your own key.
We usually have key signing events at Apache conferences, see
https://www.apache.org/dev/release-signing.html#key-signing-party and
the following sections.
-Bertrand
Re: should we enable signed commits on our github repos?
Posted by Rodric Rabbah <ro...@gmail.com>.
Vincent's key is now properly signed and listed in a public directory - so
that error should no longer appear.
It was that error though which prompted me to ask if we should have
contributors sign their commits.
From the feedback so far, it seems unnecessary, and undesirable.
-r
On Thu, Jul 12, 2018 at 10:29 AM, Bertrand Delacretaz <
bdelacretaz@apache.org> wrote:
> On Tue, Jul 10, 2018 at 10:02 PM Matt Rutkowski <mr...@apache.org>
> wrote:
> > ...signed, tagged releases are just fine by me...
>
> Note that releases which cannot be traced to an Incubator PMC vote are
> *not* Apache Releases, whoever does them does so under their own
> responsibility.
>
> OTOH, Apache Releases are acts of the Foundation, which is how the ASF
> provides legal protection.
>
> http://www.apache.org/dev/release-publishing.html and
> http://www.apache.org/legal/release-policy.html provide more details.
>
> -Bertrand
>
Re: should we enable signed commits on our github repos?
Posted by Rodric Rabbah <ro...@gmail.com>.
Hi Matt, I think the concern is for the runtime repso, and the cli related
repos for example:
https://github.com/apache/incubator-openwhisk-runtime-nodejs/releases
all the runtime repos and the cli have "releases" which are not the same -
we used this more as stable builds for dependence management (until we can
adopt the official releases).
-r
On Thu, Jul 12, 2018 at 11:05 AM, Matt Rutkowski <mr...@us.ibm.com>
wrote:
> >>Is there an "OpenWhisk release management" page somewhere already, or
> should one be created ?
>
> That is what the entire release repo. is inclusive of, with the goal of
> making it a community-inclusive dynamic process linked to CI/CD
> processes...
> https://github.com/apache/incubator-openwhisk-release
>
> open issues, discuss/link in dev list, create PRs...
>
>
>
>
>
> From: Bertrand Delacretaz <bd...@apache.org>
> To: dev@openwhisk.apache.org
> Date: 07/12/2018 09:58 AM
> Subject: Re: should we enable signed commits on our github repos?
>
>
>
> On Thu, Jul 12, 2018 at 4:47 PM Matt Rutkowski <mr...@us.ibm.com>
> wrote:
> >
> > .. thought I was endorsing the Apache release process we have been
> working
> > on in accordance with Apache policies... did you read into that
> statement
> > otherwise?...
>
> Apparently yes, sorry about that...I understood "tagged releases" to
> just mean "tagging something on GitHub".
>
> OTOH some
> https://github.com/apache/incubator-openwhisk-*/releases
> are
> happening which can be confusing - I think the role of those needs to
> be clarified (*) at least so that PPMC members know what is what and
> don't put themselves at risk.
>
> Is there an "OpenWhisk release management" page somewhere already, or
> should one be created ?
>
> -Bertrand
>
> (*) Test releases and nightly builds are ok for Apache projects but
> there are some restrictions on how they are advertised, see
> http://www.apache.org/legal/release-policy.html#host-rc
>
>
>
>
>
>
>
Re: should we enable signed commits on our github repos?
Posted by Matt Rutkowski <mr...@us.ibm.com>.
>>Is there an "OpenWhisk release management" page somewhere already, or
should one be created ?
That is what the entire release repo. is inclusive of, with the goal of
making it a community-inclusive dynamic process linked to CI/CD
processes...
https://github.com/apache/incubator-openwhisk-release
open issues, discuss/link in dev list, create PRs...
From: Bertrand Delacretaz <bd...@apache.org>
To: dev@openwhisk.apache.org
Date: 07/12/2018 09:58 AM
Subject: Re: should we enable signed commits on our github repos?
On Thu, Jul 12, 2018 at 4:47 PM Matt Rutkowski <mr...@us.ibm.com>
wrote:
>
> .. thought I was endorsing the Apache release process we have been
working
> on in accordance with Apache policies... did you read into that
statement
> otherwise?...
Apparently yes, sorry about that...I understood "tagged releases" to
just mean "tagging something on GitHub".
OTOH some
https://github.com/apache/incubator-openwhisk-*/releases
are
happening which can be confusing - I think the role of those needs to
be clarified (*) at least so that PPMC members know what is what and
don't put themselves at risk.
Is there an "OpenWhisk release management" page somewhere already, or
should one be created ?
-Bertrand
(*) Test releases and nightly builds are ok for Apache projects but
there are some restrictions on how they are advertised, see
http://www.apache.org/legal/release-policy.html#host-rc
Re: should we enable signed commits on our github repos?
Posted by Bertrand Delacretaz <bd...@apache.org>.
On Thu, Jul 12, 2018 at 4:47 PM Matt Rutkowski <mr...@us.ibm.com> wrote:
>
> .. thought I was endorsing the Apache release process we have been working
> on in accordance with Apache policies... did you read into that statement
> otherwise?...
Apparently yes, sorry about that...I understood "tagged releases" to
just mean "tagging something on GitHub".
OTOH some https://github.com/apache/incubator-openwhisk-*/releases are
happening which can be confusing - I think the role of those needs to
be clarified (*) at least so that PPMC members know what is what and
don't put themselves at risk.
Is there an "OpenWhisk release management" page somewhere already, or
should one be created ?
-Bertrand
(*) Test releases and nightly builds are ok for Apache projects but
there are some restrictions on how they are advertised, see
http://www.apache.org/legal/release-policy.html#host-rc
Re: should we enable signed commits on our github repos?
Posted by Matt Rutkowski <mr...@us.ibm.com>.
.. thought I was endorsing the Apache release process we have been working
on in accordance with Apache policies... did you read into that statement
otherwise?
From: Bertrand Delacretaz <bd...@apache.org>
To: dev@openwhisk.apache.org
Date: 07/12/2018 09:32 AM
Subject: Re: should we enable signed commits on our github repos?
On Tue, Jul 10, 2018 at 10:02 PM Matt Rutkowski <mr...@apache.org>
wrote:
> ...signed, tagged releases are just fine by me...
Note that releases which cannot be traced to an Incubator PMC vote are
*not* Apache Releases, whoever does them does so under their own
responsibility.
OTOH, Apache Releases are acts of the Foundation, which is how the ASF
provides legal protection.
http://www.apache.org/dev/release-publishing.html
and
http://www.apache.org/legal/release-policy.html
provide more details.
-Bertrand
Re: should we enable signed commits on our github repos?
Posted by Bertrand Delacretaz <bd...@apache.org>.
On Tue, Jul 10, 2018 at 10:02 PM Matt Rutkowski <mr...@apache.org> wrote:
> ...signed, tagged releases are just fine by me...
Note that releases which cannot be traced to an Incubator PMC vote are
*not* Apache Releases, whoever does them does so under their own
responsibility.
OTOH, Apache Releases are acts of the Foundation, which is how the ASF
provides legal protection.
http://www.apache.org/dev/release-publishing.html and
http://www.apache.org/legal/release-policy.html provide more details.
-Bertrand
Re: should we enable signed commits on our github repos?
Posted by Matt Rutkowski <mr...@apache.org>.
+1 no more hurdles, signed, tagged releases are just fine by me...
On 2018/07/10 16:22:46, Rodric Rabbah <ro...@gmail.com> wrote:
> Thanks for the quick feedback - makes sense to try and keep frictionless.
>
> It occurred to me while verifying the release - working with @vincent to
> publish his key to avoid this:
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg: There is no indication that the signature belongs to the
> owner.
>
> Good enough for the release manager to go through that :)
>
> -r
>
>
>
> On Tue, Jul 10, 2018 at 12:14 PM, Michael Marth <mm...@adobe.com.invalid>
> wrote:
>
> > +1 to the hurdle. Even in complicated projects people (like me) like to
> > fix typos in READMEs
> >
> >
> > On 10.07.18, 17:46, "Rob Allen" <ro...@akrabat.com> wrote:
> >
> >
> > Personally, I only sign tags on the OSS projects I lead.
> >
> > If you do it on a per-commit basis, it's yet another hurdle that a
> > contributor has to go through. That may not be a consideration for
> > OpenWhisk as it already is a complicated project for the inexperienced to
> > contribute to.
> >
> > Regards,
> >
> > Rob
> >
> > > On 10 Jul 2018, at 16:41, Rodric Rabbah <ro...@gmail.com> wrote:
> > >
> > > Who knows why we haven't enabled signed commits on the apache repos -
> > > should we require all commits to be signed?
> > >
> > > -r
> > >
> > > Ref: https://help.github.com/articles/signing-commits-using-gpg/
> >
> >
> >
> >
> >
>
Re: should we enable signed commits on our github repos?
Posted by Rodric Rabbah <ro...@gmail.com>.
Thanks for the quick feedback - makes sense to try and keep frictionless.
It occurred to me while verifying the release - working with @vincent to
publish his key to avoid this:
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the
owner.
Good enough for the release manager to go through that :)
-r
On Tue, Jul 10, 2018 at 12:14 PM, Michael Marth <mm...@adobe.com.invalid>
wrote:
> +1 to the hurdle. Even in complicated projects people (like me) like to
> fix typos in READMEs
>
>
> On 10.07.18, 17:46, "Rob Allen" <ro...@akrabat.com> wrote:
>
>
> Personally, I only sign tags on the OSS projects I lead.
>
> If you do it on a per-commit basis, it's yet another hurdle that a
> contributor has to go through. That may not be a consideration for
> OpenWhisk as it already is a complicated project for the inexperienced to
> contribute to.
>
> Regards,
>
> Rob
>
> > On 10 Jul 2018, at 16:41, Rodric Rabbah <ro...@gmail.com> wrote:
> >
> > Who knows why we haven't enabled signed commits on the apache repos -
> > should we require all commits to be signed?
> >
> > -r
> >
> > Ref: https://help.github.com/articles/signing-commits-using-gpg/
>
>
>
>
>
Re: should we enable signed commits on our github repos?
Posted by Michael Marth <mm...@adobe.com.INVALID>.
+1 to the hurdle. Even in complicated projects people (like me) like to fix typos in READMEs
On 10.07.18, 17:46, "Rob Allen" <ro...@akrabat.com> wrote:
Personally, I only sign tags on the OSS projects I lead.
If you do it on a per-commit basis, it's yet another hurdle that a contributor has to go through. That may not be a consideration for OpenWhisk as it already is a complicated project for the inexperienced to contribute to.
Regards,
Rob
> On 10 Jul 2018, at 16:41, Rodric Rabbah <ro...@gmail.com> wrote:
>
> Who knows why we haven't enabled signed commits on the apache repos -
> should we require all commits to be signed?
>
> -r
>
> Ref: https://help.github.com/articles/signing-commits-using-gpg/
Re: should we enable signed commits on our github repos?
Posted by Rob Allen <ro...@akrabat.com>.
Personally, I only sign tags on the OSS projects I lead.
If you do it on a per-commit basis, it's yet another hurdle that a contributor has to go through. That may not be a consideration for OpenWhisk as it already is a complicated project for the inexperienced to contribute to.
Regards,
Rob
> On 10 Jul 2018, at 16:41, Rodric Rabbah <ro...@gmail.com> wrote:
>
> Who knows why we haven't enabled signed commits on the apache repos -
> should we require all commits to be signed?
>
> -r
>
> Ref: https://help.github.com/articles/signing-commits-using-gpg/