+1. I hope that do you accept pull requests with unsigned commit before 1st July.
On Tue, Jul 2, 2019, 14:18 Brian Spector <br...@qredo.com> wrote: > Hi All, > > We’ve had some watercolor discussions about the SKS key server debacle > and this got everyone thinking about how important it is to digitally > sign our git commits. As releases also need to be digitally signed. > > Chris, Howard and I are doing this, John is getting setup to do this and > it would be great if the rest of the contrib squad (Giorgio, Alessandro, > Patrick, etc.) did this as well. > > You can see the ‘verified’ badge next to the commit message here as > an example: > https://github.com/apache/incubator-milagro/commits/website/newREADME > > In short, what we are worried about is that a someone could get access > to a GitHub account (even an internal compromise of GitHub) and change > Milagro’s code to somehow inject a vulnerability. > > Given that this code is performing trusted cryptographic operations, I > think we should implement a rule for the project that basically states > past July 4th, PPMC will approve no git feature branch merges into the > develop branches on any repo unless all git commits we’re signed by a > ‘Verified’ digital signing key. This will add confidence for users > of the code base. > > GitHub takes care of the key verification by making sure the ID you have > created that is attached to the key (example: brianspec...@apache.org) > is an email that you as the GitHub user have entered in as a verified > email here: https://github.com/settings/emails > > If you go to this section on the GitHub site in settings: > https://github.com/settings/emails you are able to add your own GPG key. > Again, make sure the ID is one that GitHub has on file per above. > > The instructions for telling GitHub about your signing key are here: > https://help.github.com/en/articles/telling-git-about-your-signing-key > > You then need to configure git to always sign your commits, which is > easy, just follow this instruction. It took me all of 15 minutes to set > this up. > > https://medium.com/@rwbutler/signing-commits-using-gpg-on-macos-7210362d15 > > This is a really easy thing to setup and once you have done it, you can > use the signing key to sign other contributors signing keys as Apache > likes everyone to create a web of trust around the project. > > I know not every project has this rule, but we, as a security project, > have higher standards. > > VOTE: > > Motion: All committers committing code, and any non-committer code > coming from any merge request, (OTHER THAN DEPENDENCIES) must be GPG > signed by a GitHub verified key. > > The vote will be open for at least 72 hours. > [ ] +1 Approve the motion to make mandatory GPG signing of git commits > [ ] +0 No opinion > [ ] -1 Do not Approve > > If you vote not to approve, please state why. Or, start a discussion on > why we shouldn’t do this given the upsides and low barrier for anyone > to setup. > > Thanks > Brian > >
