Commit signing?

[Niclas Hedhman <ni...@hedhman.org>]

Hi,
There are some internal debate about how to ensure provenance in a Git and
GitHub world. I can't say how that discussion is going, but one idea that
surfaced, which we (the projects) can do regardless of the total outcome,
to improve code provenance is to sign our commits.

I first note that IntelliJ doesn't support for commit signing directly.

Secondly, http://mikegerwitz.com/papers/git-horror-story (I hope I typed
that correctly) is a must read.

In that paper, I am specifically talking about Option #3 (as I doubt that
we (Zest) will get too many pull requests that are many commits long)

This seems to be something that can be introduced incrementally and at slow
pace, which is something we like at Apache. Trust enforcement and all of
that can be done later, and perhaps other projects will lead the way...

I would like to hear what people think about this...

Cheers
Niclas

P.S. I am now settled in, in Shanghai and just started to work on a new
Zest based app on my spare time, so activity should start to pick up again.

Re: Commit signing?

[Sandro Martini <sa...@gmail.com>]

Hi Niclas,
after reading so many emails on Git and code provenance (and maybe
lost some email ...) I fear to introduce only a small complexity
without too much gain ... anyway I think that we could try something,
if not in main repository in zest-sandbox.

I have a Code Signing PGP key with my Apache ID that's still valid; to
begin we could exchange our public key between us :-) . And then add
to KEYS file in Zest source repository.
My Key ID is: F9EDAF10 , note that's published at MIT Key Server
(should be valid, please tell me if not because it's not clear); you
can find it even here (two asc files but it's the same key):
http://people.apache.org/~smartini/
I put here in attach here just for convenience.

Niclas, your ?
Paul and others ?

Stay well.

Bye,
Sandro

2015-10-28 2:32 GMT+01:00 Niclas Hedhman <ni...@hedhman.org>:
> Hi,
> There are some internal debate about how to ensure provenance in a Git and
> GitHub world. I can't say how that discussion is going, but one idea that
> surfaced, which we (the projects) can do regardless of the total outcome,
> to improve code provenance is to sign our commits.
>
> I first note that IntelliJ doesn't support for commit signing directly.
>
> Secondly, http://mikegerwitz.com/papers/git-horror-story (I hope I typed
> that correctly) is a must read.
>
> In that paper, I am specifically talking about Option #3 (as I doubt that
> we (Zest) will get too many pull requests that are many commits long)
>
> This seems to be something that can be introduced incrementally and at slow
> pace, which is something we like at Apache. Trust enforcement and all of
> that can be done later, and perhaps other projects will lead the way...
>
> I would like to hear what people think about this...
>
> Cheers
> Niclas
>
> P.S. I am now settled in, in Shanghai and just started to work on a new
> Zest based app on my spare time, so activity should start to pick up again.

Re: Commit signing?

[Paul Merlin <pa...@nosphere.org>]

Niclas Hedhman a écrit :
> Drawback, more work...

Sure. Or we state that we require external contributions to be squashed.

> KEYS should also available on pgp.mit.edu
>
> On Sat, Oct 31, 2015 at 4:24 AM, Paul Merlin <pa...@nosphere.org> wrote:
>
>> Niclas Hedhman a écrit :
>>> Hi,
>>> There are some internal debate about how to ensure provenance in a Git
>> and
>>> GitHub world. I can't say how that discussion is going, but one idea that
>>> surfaced, which we (the projects) can do regardless of the total outcome,
>>> to improve code provenance is to sign our commits.
>>>
>>> I first note that IntelliJ doesn't support for commit signing directly.
>>>
>>> Secondly, http://mikegerwitz.com/papers/git-horror-story (I hope I typed
>>> that correctly) is a must read.
>>>
>>> In that paper, I am specifically talking about Option #3 (as I doubt that
>>> we (Zest) will get too many pull requests that are many commits long)
>>>
>>> This seems to be something that can be introduced incrementally and at
>> slow
>>> pace, which is something we like at Apache. Trust enforcement and all of
>>> that can be done later, and perhaps other projects will lead the way...
>>>
>>> I would like to hear what people think about this...
>> I think we should sign tags at least/first.
>>
>> I'd be in favor of signing commits.
>> Doing this properly could also mean adding a hook to reject unsigned
>> commits.
>>
>> For external contributions, some Zest commiter will always endup doing
>> the actual code import. I'd be in favor of always squashing such code
>> imports, and have the commiter sign it. For the
>> numerous-commits-pull-request "usecase", it implies a bit of work to get
>> a proper commit message that capture what was spread accross several
>> commits, or request its author to do the squashing.
>> Do you see any drawbacks doing it like this?
>>
>>> P.S. I am now settled in, in Shanghai and just started to work on a new
>>> Zest based app on my spare time, so activity should start to pick up
>> again.
>> P.S. Good! I've been busy with work changes theses weeks. I have good
>> hope that it will calm down a bit.
>>
>> BTW, Niclas key and mine can be found here:
>> https://dist.apache.org/repos/dist/release/zest/KEYS
>>
>>
>
>

Re: Commit signing?

[Niclas Hedhman <ni...@hedhman.org>]

Drawback, more work...

KEYS should also available on pgp.mit.edu

On Sat, Oct 31, 2015 at 4:24 AM, Paul Merlin <pa...@nosphere.org> wrote:

> Niclas Hedhman a écrit :
> > Hi,
> > There are some internal debate about how to ensure provenance in a Git
> and
> > GitHub world. I can't say how that discussion is going, but one idea that
> > surfaced, which we (the projects) can do regardless of the total outcome,
> > to improve code provenance is to sign our commits.
> >
> > I first note that IntelliJ doesn't support for commit signing directly.
> >
> > Secondly, http://mikegerwitz.com/papers/git-horror-story (I hope I typed
> > that correctly) is a must read.
> >
> > In that paper, I am specifically talking about Option #3 (as I doubt that
> > we (Zest) will get too many pull requests that are many commits long)
> >
> > This seems to be something that can be introduced incrementally and at
> slow
> > pace, which is something we like at Apache. Trust enforcement and all of
> > that can be done later, and perhaps other projects will lead the way...
> >
> > I would like to hear what people think about this...
> I think we should sign tags at least/first.
>
> I'd be in favor of signing commits.
> Doing this properly could also mean adding a hook to reject unsigned
> commits.
>
> For external contributions, some Zest commiter will always endup doing
> the actual code import. I'd be in favor of always squashing such code
> imports, and have the commiter sign it. For the
> numerous-commits-pull-request "usecase", it implies a bit of work to get
> a proper commit message that capture what was spread accross several
> commits, or request its author to do the squashing.
> Do you see any drawbacks doing it like this?
>
> > P.S. I am now settled in, in Shanghai and just started to work on a new
> > Zest based app on my spare time, so activity should start to pick up
> again.
> P.S. Good! I've been busy with work changes theses weeks. I have good
> hope that it will calm down a bit.
>
> BTW, Niclas key and mine can be found here:
> https://dist.apache.org/repos/dist/release/zest/KEYS
>
>


-- 
Niclas Hedhman, Software Developer
http://zest.apache.org - New Energy for Java

Re: Commit signing?

[Paul Merlin <pa...@nosphere.org>]

Niclas Hedhman a écrit :
> Hi,
> There are some internal debate about how to ensure provenance in a Git and
> GitHub world. I can't say how that discussion is going, but one idea that
> surfaced, which we (the projects) can do regardless of the total outcome,
> to improve code provenance is to sign our commits.
>
> I first note that IntelliJ doesn't support for commit signing directly.
>
> Secondly, http://mikegerwitz.com/papers/git-horror-story (I hope I typed
> that correctly) is a must read.
>
> In that paper, I am specifically talking about Option #3 (as I doubt that
> we (Zest) will get too many pull requests that are many commits long)
>
> This seems to be something that can be introduced incrementally and at slow
> pace, which is something we like at Apache. Trust enforcement and all of
> that can be done later, and perhaps other projects will lead the way...
>
> I would like to hear what people think about this...
I think we should sign tags at least/first.

I'd be in favor of signing commits.
Doing this properly could also mean adding a hook to reject unsigned
commits.

For external contributions, some Zest commiter will always endup doing
the actual code import. I'd be in favor of always squashing such code
imports, and have the commiter sign it. For the
numerous-commits-pull-request "usecase", it implies a bit of work to get
a proper commit message that capture what was spread accross several
commits, or request its author to do the squashing.
Do you see any drawbacks doing it like this?

> P.S. I am now settled in, in Shanghai and just started to work on a new
> Zest based app on my spare time, so activity should start to pick up again.
P.S. Good! I've been busy with work changes theses weeks. I have good
hope that it will calm down a bit.
 
BTW, Niclas key and mine can be found here:
https://dist.apache.org/repos/dist/release/zest/KEYS