I agree with Daan. On Wed, Apr 6, 2016 at 11:42 AM, Daan Hoogland <[email protected]> wrote:
> Will, we only need to be sure about the key's of committers. Only merge > commits we need to be sure of the signature and the merger needs to be > verify the code. He can not assure that the origin of the code is authentic > but he can at least assure that the code is unchanged since contribution > when it is signed. I don't think we need more. > > On Wed, Apr 6, 2016 at 4:33 PM, Will Stevens <[email protected]> > wrote: > > > Ok, that is half. But how do we verify that a Github user has a GPG key > > that is matching what is registered in the ASF? Just because you have a > > GPG key does not mean you are an ASF committer, so the check would have > to > > be made to verify the GPG is registered to an ASF committer before they > > would be allowed to actually commit via Github. How would this be > resolved? > > > > *Will STEVENS* > > Lead Developer > > > > *CloudOps* *| *Cloud Solutions Experts > > 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6 > > w cloudops.com *|* tw @CloudOps_ > > > > On Wed, Apr 6, 2016 at 10:09 AM, Rafael Weingärtner < > > [email protected]> wrote: > > > >> There is a way to do that. When you become a committer, you can > register a > >> key at [1], then that key (public key) is loaded to [2]. The key is > >> associated with the committer’s login. For instance, this is my public > key > >> [3]. > >> > >> [1] id.apache.org > >> [2] https://people.apache.org/keys/committer/ > >> [3] https://people.apache.org/keys/committer/rafael.asc > >> > >> > >> On Wed, Apr 6, 2016 at 11:04 AM, Will Stevens <[email protected]> > >> wrote: > >> > >> > I don't think it is quite this simple. There would have to be a way > for > >> > the GPG key to be associated with a specific ASF identity and I don't > >> think > >> > that is in place at this time. Also, there would have to be > >> verification > >> > that the person who is committing has a GPG key AND that they are a > >> > committer in ASF and have an identity there. I think there are more > >> moving > >> > parts here than meet the eye, but we can definitely continue the > >> discussion > >> > and see where it can lead. > >> > > >> > *Will STEVENS* > >> > Lead Developer > >> > > >> > *CloudOps* *| *Cloud Solutions Experts > >> > 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6 > >> > w cloudops.com *|* tw @CloudOps_ > >> > > >> > On Wed, Apr 6, 2016 at 5:00 AM, Wido den Hollander <[email protected]> > >> wrote: > >> > > >> > > > >> > > > Op 6 april 2016 om 10:50 schreef Daan Hoogland < > >> > [email protected] > >> > > >: > >> > > > > >> > > > > >> > > > Good reading for the Wednesday morning;) yes I think we need to go > >> > there > >> > > > and maybe even ask it of our contributors. > >> > > > > >> > > > >> > > It might please the ASF since we can now prove who made the commit. > >> If we > >> > > ask > >> > > all committers to upload their public key and sign their commits we > >> can > >> > > check > >> > > this. > >> > > > >> > > For Pull Requests we can probably also add a hook/check which > verifies > >> > if a > >> > > signature is present. > >> > > > >> > > Wido > >> > > > >> > > > On Wed, Apr 6, 2016 at 9:28 AM, Wido den Hollander < > [email protected]> > >> > > wrote: > >> > > > > >> > > > > Hi, > >> > > > > > >> > > > > Github just added [0] support for verifying GPG signatures of > Git > >> > > commits > >> > > > > to the > >> > > > > web interface. > >> > > > > > >> > > > > Under the settings page [1] you can now add your public GPG key > so > >> > > Github > >> > > > > can > >> > > > > verify it. > >> > > > > > >> > > > > It's rather simple: > >> > > > > > >> > > > > $ gpg --armor --export [email protected] > >> > > > > > >> > > > > That gave me my public key which I could export. > >> > > > > > >> > > > > Git already supports signing [2] commits with your key. > >> > > > > > >> > > > > This makes me wonder, is this something we want to enforce? To > me > >> it > >> > > seems > >> > > > > like > >> > > > > a good thing to have. > >> > > > > > >> > > > > Wido > >> > > > > > >> > > > > [0]: https://github.com/blog/2144-gpg-signature-verification > >> > > > > [1]: https://github.com/settings/keys > >> > > > > [2]: https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work > >> > > > > > >> > > > > >> > > > > >> > > > > >> > > > -- > >> > > > Daan > >> > > > >> > > >> > >> > >> > >> -- > >> Rafael Weingärtner > >> > > > > > > > -- > Daan > -- Rafael Weingärtner
