Hi Tran, sorry for the delay in responding. I think we need to nominate you as a contributor in order to get your apache ID setup. Were you a contributor to a previous project?
Thanks Brian Brian Spector Chief Product and Strategy Officer Qredo Ltd T: +44 1394825764 1 Primrose Street London, UK EC2A 2EX https://qredo.com Qredo Ltd is a limited company registered in England and Wales (registered number 7834052). This e-mail and any attachments are confidential, and are intended only for the named addressee(s). If you are not the intended recipient you may not copy, disclose to anyone else or otherwise use the content of this e-mail or any attachment thereto and should notify the sender immediately and delete them from your system. ________________________________ From: Tran Ly Vu <vutransingap...@gmail.com> Sent: 06 July 2019 3:47 PM To: dev@milagro.incubator.apache.org <dev@milagro.incubator.apache.org> Cc: d...@milagro.apache.org <d...@milagro.apache.org> Subject: Re: URGENT ATTN CONTRIBUTORS: Please sign git commits and distribute your public key Hi, So I could not log in to https://id.apache.org , I have an account that can access to apache Jira and Confluence but they could not be used to access to https://id.apache.org. Can someone advice me how I can create an account for id.apache.org? Key fingerprint: 1007 7EA8 CBEE 28F4 BB05 EFE4 CE8F A0C4 9557 1477 Thanks On Fri, 5 Jul 2019 at 17:43, Brian Spector <br...@qredo.com> wrote: > Hi Giorgio, great can you please make sure you update this on your > id.apache.org profile please? > > Thanks > Brian > > On 4 Jul 2019, at 22:20, Giorgio Zoppi wrote: > > Pub key finger print. > 08A9 19B6 5853 BFEA 8AF3 F0B6 E89F 5EAB 4B36 F6B9 > > ---------- Forwarded message --------- > De: Giorgio Zoppi <giorgio.zo...@gmail.com<mailto:giorgio.zo...@gmail.com > >> > Date: jue., 4 jul. 2019 a las 23:15 > Subject: Re: URGENT ATTN CONTRIBUTORS: Please sign git commits and > distribute your public key > To: Brian Spector <br...@qredo.com<mailto:br...@qredo.com>> > > > my public key > > El jue., 4 jul. 2019 a las 15:05, Brian Spector (<br...@qredo.com<mailto: > br...@qredo.com>>) escribió: > Hi All, > > as we are preparing for a release, it’s critical that contributors > advertise their public keys in the appropriate places, and also circulate > your public key to other Milagro contributors to make it stronger in the > web of trust. > > Howard, Patrick, Giorgio, Alessandro, Go, Samuele, Tran, and (apologies to > anyone else I have missed) others, the project needs to have your public > keys advertised, and it’s a critical part of putting your public keys in > the ‘keys’ file that needs to go out with every release. > > We’ve got mine, Stan, Chris, Kealan, and John’s keys signed by other > developers to strengthen their web of trust, and the signatures on those > keys have been uploaded to the SKS key server (hopefully they have > recovered somewhat). > > The address of the key server is: hkps://hkps.pool.sks-keyservers.net< > http://hkps.pool.sks-keyservers.net> > > The folks that are CC’d on this list, if you can, at a minimum, do the > following: > > 1. Create a GPG signing key, you should have done this for signing your > git commits in any case per the previously sent email containing > instructions on signing git commits. The email text is below my salutation > for your reference. > > 2. Using that signing key, take it’s public key fingerprint > https://www.apache.org/dev/openpgp.html#find-key-id-with-fingerprint and > update your https://id.apache.org profile to include your public key. > > 3. Pull down the following public keys from the Key Server at: hkps:// > hkps.pool.sks-keyservers.net<http://hkps.pool.sks-keyservers.net>. You > can do with any GPG Win or Mac client. Kealan is on Linux and can give you > help if needed. You can search on the key’s fingerprint to make sure you > are pulling down the right one. > > - Brian Spector (I have two keys): > 0A45 9DA3 BCDB 6FC0 BAF2 6395 A89D 5CEC 2BF1 B012 > C99A AC81 0E56 3F5E BA2D A1E1 1485 BC9C 64DF 811C > > - Chris Morris > 740E 0DDE 3E53 4774 D7BE BB73 3246 C7FA 219E 5A39 > > - Howard Kitto > 8521 0EC8 B145 174B DFC4 5694 4A7E 0C95 773A C2C4 > > - Stanislav Mihaylov > EBAA B352 00E3 2DB6 4441 B5F4 03BA 3A7C B1D4 64CA > > - Kealan McCusker > 0188 A1FB 0A3D F335 B7A1 B334 FEC7 E31C C347 F69F > > - Emir Uzeirbegovic > 8098 43C0 72A7 9266 AF9E B0F6 743B 16FF B67C 6E8A > > - Milagro Security Advisory Public Key > 8098 43C0 72A7 9266 AF9E B0F6 743B 16FF B67C 6E8A > > > OR, simply import the attached keys into your GPG client. > > I have digitally SMIME signed this email so you know it came from me (as > much as we trust SMIME, not much, but better than nothing). > > 4. Optionally, if you feel comfortable doing so, please sign our public > keys with your git commit signing key, and upload the public keys you > signed back to the SKS key server at: kps://hkps.pool.sks-keyservers.net< > http://hkps.pool.sks-keyservers.net> > > 5. CRITICALLY: Please send us your key fingerprint or public keys (make > sure you sign the email when sending over a public key through email so we > can check the signature). This is so we can add your public keys to the > release’s ‘keys’ file. > > Thanks > Brian > > > — > > On 2 Jul 2019, at 13:18, Brian Spector wrote: > > > Hi All, > > > > We’ve had some watercolor discussions about the SKS key server debacle > and this got everyone thinking about how important it is to digitally sign > our git commits. As releases also need to be digitally signed. > > > > Chris, Howard and I are doing this, John is getting setup to do this and > it would be great if the rest of the contrib squad (Giorgio, Alessandro, > Patrick, etc.) did this as well. > > > > You can see the ‘verified’ badge next to the commit message here as an > example: > https://github.com/apache/incubator-milagro/commits/website/newREADME > > > > In short, what we are worried about is that a someone could get access > to a GitHub account (even an internal compromise of GitHub) and change > Milagro’s code to somehow inject a vulnerability. > > > > Given that this code is performing trusted cryptographic operations, I > think we should implement a rule for the project that basically states past > July 4th, PPMC will approve no git feature branch merges into the develop > branches on any repo unless all git commits we’re signed by a ‘Verified’ > digital signing key. This will add confidence for users of the code base. > > > > GitHub takes care of the key verification by making sure the ID you have > created that is attached to the key (example: brianspec...@apache.org > <mailto:brianspec...@apache.org>) is an email that you as the GitHub user > have entered in as a verified email here: > https://github.com/settings/emails > > > > If you go to this section on the GitHub site in settings: > https://github.com/settings/emails you are able to add your own GPG key. > Again, make sure the ID is one that GitHub has on file per above. > > > > The instructions for telling GitHub about your signing key are here: > https://help.github.com/en/articles/telling-git-about-your-signing-key > > > > You then need to configure git to always sign your commits, which is > easy, just follow this instruction. It took me all of 15 minutes to set > this up. > > > > > https://medium.com/@rwbutler/signing-commits-using-gpg-on-macos-7210362d15 > > > > This is a really easy thing to setup and once you have done it, you can > use the signing key to sign other contributors signing keys as Apache likes > everyone to create a web of trust around the project. > > > > I know not every project has this rule, but we, as a security project, > have higher standards. > > > > VOTE: > > > > Motion: All committers committing code, and any non-committer code > coming from any merge request, (OTHER THAN DEPENDENCIES) must be GPG signed > by a GitHub verified key. > > > > The vote will be open for at least 72 hours. > > [ ] +1 Approve the motion to make mandatory GPG signing of git commits > > [ ] +0 No opinion > > [ ] -1 Do not Approve > > > > If you vote not to approve, please state why. Or, start a discussion on > why we shouldn’t do this given the upsides and low barrier for anyone to > setup. > > > > Thanks > > Brian > > > > -- > Life is a chess game - Anonymous. > > > -- > Life is a chess game - Anonymous. >
