I am just trying to make sure we are all clear on what we are trying to achieve.
No, we do not have committer access via Github, and in order for us to be able to make the move the 'apache-cloudstack' org, we will need to keep it that way (at least for now). I am still working on getting this to happen and the ball is in my court to involve Infra right now. Once that move is complete we have more options, but we have to work with the ASF to make sure they are comfortable with anything we propose. I know that the GPG thing is something they would not accept in the past, but i was not involved in that discussion, so I can't really comment on that. Also, things may have changed since that decision. Since this is a bit of a complicated topic and there are many opinions in play that are not specifically technical, I am just trying to make sure that we stay on the same page as much as possible and that we look at the problem from both sides (ours and the ASF). *Will STEVENS* Lead Developer *CloudOps* *| *Cloud Solutions Experts 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6 w cloudops.com *|* tw @CloudOps_ On Wed, Apr 6, 2016 at 11:41 AM, Rafael Weingärtner < [email protected]> wrote: > Ah, ok > I had forgotten that, my bad. > > On Wed, Apr 6, 2016 at 12:39 PM, Daan Hoogland <[email protected]> > wrote: > > > On Wed, Apr 6, 2016 at 5:37 PM, Rafael Weingärtner < > > [email protected]> wrote: > > > >> Sorry, but I did not understand. We do not have commit access to Github, > >> right? > >> > > I think we are talking about the new to be cloudstack organisation, > right > > @Will? > > > > > > > > > >> > >> On Wed, Apr 6, 2016 at 12:35 PM, Daan Hoogland <[email protected] > > > >> wrote: > >> > >>> hm, no ;) We can control access to the organisation right? so we can > >>> close it for committers that don't have a valid key. We just need to > think > >>> of a procedure for checking and registration. > >>> > >>> On Wed, Apr 6, 2016 at 5:33 PM, Will Stevens <[email protected]> > >>> wrote: > >>> > >>>> Yes, I agree with both of you. Maybe I am not being clear. My point > is > >>>> only that we can't allow commit access on Github because then we can > not > >>>> limit it to only valid committers who COULD commit. Is that clearer? > >>>> > >>>> *Will STEVENS* > >>>> Lead Developer > >>>> > >>>> *CloudOps* *| *Cloud Solutions Experts > >>>> 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6 > >>>> w cloudops.com *|* tw @CloudOps_ > >>>> > >>>> On Wed, Apr 6, 2016 at 11:07 AM, Rafael Weingärtner < > >>>> [email protected]> wrote: > >>>> > >>>> > I agree with Daan. > >>>> > > >>>> > On Wed, Apr 6, 2016 at 11:42 AM, Daan Hoogland < > >>>> [email protected]> > >>>> > wrote: > >>>> > > >>>> >> Will, we only need to be sure about the key's of committers. Only > >>>> merge > >>>> >> commits we need to be sure of the signature and the merger needs to > >>>> be > >>>> >> verify the code. He can not assure that the origin of the code is > >>>> >> authentic > >>>> >> but he can at least assure that the code is unchanged since > >>>> contribution > >>>> >> when it is signed. I don't think we need more. > >>>> >> > >>>> >> On Wed, Apr 6, 2016 at 4:33 PM, Will Stevens < > [email protected]> > >>>> >> wrote: > >>>> >> > >>>> >> > Ok, that is half. But how do we verify that a Github user has a > >>>> GPG key > >>>> >> > that is matching what is registered in the ASF? Just because you > >>>> have a > >>>> >> > GPG key does not mean you are an ASF committer, so the check > would > >>>> have > >>>> >> to > >>>> >> > be made to verify the GPG is registered to an ASF committer > before > >>>> they > >>>> >> > would be allowed to actually commit via Github. How would this > be > >>>> >> resolved? > >>>> >> > > >>>> >> > *Will STEVENS* > >>>> >> > Lead Developer > >>>> >> > > >>>> >> > *CloudOps* *| *Cloud Solutions Experts > >>>> >> > 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6 > >>>> >> > w cloudops.com *|* tw @CloudOps_ > >>>> >> > > >>>> >> > On Wed, Apr 6, 2016 at 10:09 AM, Rafael Weingärtner < > >>>> >> > [email protected]> wrote: > >>>> >> > > >>>> >> >> There is a way to do that. When you become a committer, you can > >>>> >> register a > >>>> >> >> key at [1], then that key (public key) is loaded to [2]. The key > >>>> is > >>>> >> >> associated with the committer’s login. For instance, this is my > >>>> public > >>>> >> key > >>>> >> >> [3]. > >>>> >> >> > >>>> >> >> [1] id.apache.org > >>>> >> >> [2] https://people.apache.org/keys/committer/ > >>>> >> >> [3] https://people.apache.org/keys/committer/rafael.asc > >>>> >> >> > >>>> >> >> > >>>> >> >> On Wed, Apr 6, 2016 at 11:04 AM, Will Stevens < > >>>> [email protected]> > >>>> >> >> wrote: > >>>> >> >> > >>>> >> >> > I don't think it is quite this simple. There would have to be > >>>> a way > >>>> >> for > >>>> >> >> > the GPG key to be associated with a specific ASF identity and > I > >>>> don't > >>>> >> >> think > >>>> >> >> > that is in place at this time. Also, there would have to be > >>>> >> >> verification > >>>> >> >> > that the person who is committing has a GPG key AND that they > >>>> are a > >>>> >> >> > committer in ASF and have an identity there. I think there > are > >>>> more > >>>> >> >> moving > >>>> >> >> > parts here than meet the eye, but we can definitely continue > the > >>>> >> >> discussion > >>>> >> >> > and see where it can lead. > >>>> >> >> > > >>>> >> >> > *Will STEVENS* > >>>> >> >> > Lead Developer > >>>> >> >> > > >>>> >> >> > *CloudOps* *| *Cloud Solutions Experts > >>>> >> >> > 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6 > >>>> >> >> > w cloudops.com *|* tw @CloudOps_ > >>>> >> >> > > >>>> >> >> > On Wed, Apr 6, 2016 at 5:00 AM, Wido den Hollander < > >>>> [email protected]> > >>>> >> >> wrote: > >>>> >> >> > > >>>> >> >> > > > >>>> >> >> > > > Op 6 april 2016 om 10:50 schreef Daan Hoogland < > >>>> >> >> > [email protected] > >>>> >> >> > > >: > >>>> >> >> > > > > >>>> >> >> > > > > >>>> >> >> > > > Good reading for the Wednesday morning;) yes I think we > >>>> need to > >>>> >> go > >>>> >> >> > there > >>>> >> >> > > > and maybe even ask it of our contributors. > >>>> >> >> > > > > >>>> >> >> > > > >>>> >> >> > > It might please the ASF since we can now prove who made the > >>>> commit. > >>>> >> >> If we > >>>> >> >> > > ask > >>>> >> >> > > all committers to upload their public key and sign their > >>>> commits we > >>>> >> >> can > >>>> >> >> > > check > >>>> >> >> > > this. > >>>> >> >> > > > >>>> >> >> > > For Pull Requests we can probably also add a hook/check > which > >>>> >> verifies > >>>> >> >> > if a > >>>> >> >> > > signature is present. > >>>> >> >> > > > >>>> >> >> > > Wido > >>>> >> >> > > > >>>> >> >> > > > On Wed, Apr 6, 2016 at 9:28 AM, Wido den Hollander < > >>>> >> [email protected]> > >>>> >> >> > > wrote: > >>>> >> >> > > > > >>>> >> >> > > > > Hi, > >>>> >> >> > > > > > >>>> >> >> > > > > Github just added [0] support for verifying GPG > >>>> signatures of > >>>> >> Git > >>>> >> >> > > commits > >>>> >> >> > > > > to the > >>>> >> >> > > > > web interface. > >>>> >> >> > > > > > >>>> >> >> > > > > Under the settings page [1] you can now add your public > >>>> GPG > >>>> >> key so > >>>> >> >> > > Github > >>>> >> >> > > > > can > >>>> >> >> > > > > verify it. > >>>> >> >> > > > > > >>>> >> >> > > > > It's rather simple: > >>>> >> >> > > > > > >>>> >> >> > > > > $ gpg --armor --export [email protected] > >>>> >> >> > > > > > >>>> >> >> > > > > That gave me my public key which I could export. > >>>> >> >> > > > > > >>>> >> >> > > > > Git already supports signing [2] commits with your key. > >>>> >> >> > > > > > >>>> >> >> > > > > This makes me wonder, is this something we want to > >>>> enforce? To > >>>> >> me > >>>> >> >> it > >>>> >> >> > > seems > >>>> >> >> > > > > like > >>>> >> >> > > > > a good thing to have. > >>>> >> >> > > > > > >>>> >> >> > > > > Wido > >>>> >> >> > > > > > >>>> >> >> > > > > [0]: > >>>> https://github.com/blog/2144-gpg-signature-verification > >>>> >> >> > > > > [1]: https://github.com/settings/keys > >>>> >> >> > > > > [2]: > >>>> >> https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work > >>>> >> >> > > > > > >>>> >> >> > > > > >>>> >> >> > > > > >>>> >> >> > > > > >>>> >> >> > > > -- > >>>> >> >> > > > Daan > >>>> >> >> > > > >>>> >> >> > > >>>> >> >> > >>>> >> >> > >>>> >> >> > >>>> >> >> -- > >>>> >> >> Rafael Weingärtner > >>>> >> >> > >>>> >> > > >>>> >> > > >>>> >> > >>>> >> > >>>> >> -- > >>>> >> Daan > >>>> >> > >>>> > > >>>> > > >>>> > > >>>> > -- > >>>> > Rafael Weingärtner > >>>> > > >>>> > >>> > >>> > >>> > >>> -- > >>> Daan > >>> > >> > >> > >> > >> -- > >> Rafael Weingärtner > >> > > > > > > > > -- > > Daan > > > > > > -- > Rafael Weingärtner >
