Hi, No I was not
On Wed, 24 Jul 2019 at 22:54, Brian Spector <br...@qredo.com> wrote: > Hi Tran, sorry for the delay in responding. I think we need to nominate > you as a contributor in order to get your apache ID setup. Were you a > contributor to a previous project? > > Thanks > Brian > > > Brian Spector > Chief Product and Strategy Officer > Qredo Ltd > T: +44 1394825764 > 1 Primrose Street > London, UK EC2A 2EX > https://qredo.com > > Qredo Ltd is a limited company registered in England and Wales (registered > number 7834052). This e-mail and any attachments are confidential, and are > intended only for the named addressee(s). If you are not the intended > recipient you may not copy, disclose to anyone else or otherwise use the > content of this e-mail or any attachment thereto and should notify the > sender immediately and delete them from your system. > > > > ________________________________ > From: Tran Ly Vu <vutransingap...@gmail.com> > Sent: 06 July 2019 3:47 PM > To: dev@milagro.incubator.apache.org <dev@milagro.incubator.apache.org> > Cc: d...@milagro.apache.org <d...@milagro.apache.org> > Subject: Re: URGENT ATTN CONTRIBUTORS: Please sign git commits and > distribute your public key > > Hi, > > So I could not log in to https://id.apache.org , I have an account that > can > access to apache Jira and Confluence but they could not be used to access > to https://id.apache.org. Can someone advice me how I can create an > account > for id.apache.org? > > Key fingerprint: > 1007 7EA8 CBEE 28F4 BB05 EFE4 CE8F A0C4 9557 1477 > > Thanks > > > On Fri, 5 Jul 2019 at 17:43, Brian Spector <br...@qredo.com> wrote: > > > Hi Giorgio, great can you please make sure you update this on your > > id.apache.org profile please? > > > > Thanks > > Brian > > > > On 4 Jul 2019, at 22:20, Giorgio Zoppi wrote: > > > > Pub key finger print. > > 08A9 19B6 5853 BFEA 8AF3 F0B6 E89F 5EAB 4B36 F6B9 > > > > ---------- Forwarded message --------- > > De: Giorgio Zoppi <giorgio.zo...@gmail.com<mailto: > giorgio.zo...@gmail.com > > >> > > Date: jue., 4 jul. 2019 a las 23:15 > > Subject: Re: URGENT ATTN CONTRIBUTORS: Please sign git commits and > > distribute your public key > > To: Brian Spector <br...@qredo.com<mailto:br...@qredo.com>> > > > > > > my public key > > > > El jue., 4 jul. 2019 a las 15:05, Brian Spector (<br...@qredo.com > <mailto: > > br...@qredo.com>>) escribió: > > Hi All, > > > > as we are preparing for a release, it’s critical that contributors > > advertise their public keys in the appropriate places, and also circulate > > your public key to other Milagro contributors to make it stronger in the > > web of trust. > > > > Howard, Patrick, Giorgio, Alessandro, Go, Samuele, Tran, and (apologies > to > > anyone else I have missed) others, the project needs to have your public > > keys advertised, and it’s a critical part of putting your public keys in > > the ‘keys’ file that needs to go out with every release. > > > > We’ve got mine, Stan, Chris, Kealan, and John’s keys signed by other > > developers to strengthen their web of trust, and the signatures on those > > keys have been uploaded to the SKS key server (hopefully they have > > recovered somewhat). > > > > The address of the key server is: hkps://hkps.pool.sks-keyservers.net< > > http://hkps.pool.sks-keyservers.net> > > > > The folks that are CC’d on this list, if you can, at a minimum, do the > > following: > > > > 1. Create a GPG signing key, you should have done this for signing your > > git commits in any case per the previously sent email containing > > instructions on signing git commits. The email text is below my > salutation > > for your reference. > > > > 2. Using that signing key, take it’s public key fingerprint > > https://www.apache.org/dev/openpgp.html#find-key-id-with-fingerprint and > > update your https://id.apache.org profile to include your public key. > > > > 3. Pull down the following public keys from the Key Server at: hkps:// > > hkps.pool.sks-keyservers.net<http://hkps.pool.sks-keyservers.net>. You > > can do with any GPG Win or Mac client. Kealan is on Linux and can give > you > > help if needed. You can search on the key’s fingerprint to make sure you > > are pulling down the right one. > > > > - Brian Spector (I have two keys): > > 0A45 9DA3 BCDB 6FC0 BAF2 6395 A89D 5CEC 2BF1 B012 > > C99A AC81 0E56 3F5E BA2D A1E1 1485 BC9C 64DF 811C > > > > - Chris Morris > > 740E 0DDE 3E53 4774 D7BE BB73 3246 C7FA 219E 5A39 > > > > - Howard Kitto > > 8521 0EC8 B145 174B DFC4 5694 4A7E 0C95 773A C2C4 > > > > - Stanislav Mihaylov > > EBAA B352 00E3 2DB6 4441 B5F4 03BA 3A7C B1D4 64CA > > > > - Kealan McCusker > > 0188 A1FB 0A3D F335 B7A1 B334 FEC7 E31C C347 F69F > > > > - Emir Uzeirbegovic > > 8098 43C0 72A7 9266 AF9E B0F6 743B 16FF B67C 6E8A > > > > - Milagro Security Advisory Public Key > > 8098 43C0 72A7 9266 AF9E B0F6 743B 16FF B67C 6E8A > > > > > > OR, simply import the attached keys into your GPG client. > > > > I have digitally SMIME signed this email so you know it came from me (as > > much as we trust SMIME, not much, but better than nothing). > > > > 4. Optionally, if you feel comfortable doing so, please sign our public > > keys with your git commit signing key, and upload the public keys you > > signed back to the SKS key server at: kps://hkps.pool.sks-keyservers.net > < > > http://hkps.pool.sks-keyservers.net> > > > > 5. CRITICALLY: Please send us your key fingerprint or public keys (make > > sure you sign the email when sending over a public key through email so > we > > can check the signature). This is so we can add your public keys to the > > release’s ‘keys’ file. > > > > Thanks > > Brian > > > > > > — > > > > On 2 Jul 2019, at 13:18, Brian Spector wrote: > > > > > Hi All, > > > > > > We’ve had some watercolor discussions about the SKS key server debacle > > and this got everyone thinking about how important it is to digitally > sign > > our git commits. As releases also need to be digitally signed. > > > > > > Chris, Howard and I are doing this, John is getting setup to do this > and > > it would be great if the rest of the contrib squad (Giorgio, Alessandro, > > Patrick, etc.) did this as well. > > > > > > You can see the ‘verified’ badge next to the commit message here as an > > example: > > https://github.com/apache/incubator-milagro/commits/website/newREADME > > > > > > In short, what we are worried about is that a someone could get access > > to a GitHub account (even an internal compromise of GitHub) and change > > Milagro’s code to somehow inject a vulnerability. > > > > > > Given that this code is performing trusted cryptographic operations, I > > think we should implement a rule for the project that basically states > past > > July 4th, PPMC will approve no git feature branch merges into the develop > > branches on any repo unless all git commits we’re signed by a ‘Verified’ > > digital signing key. This will add confidence for users of the code base. > > > > > > GitHub takes care of the key verification by making sure the ID you > have > > created that is attached to the key (example: brianspec...@apache.org > > <mailto:brianspec...@apache.org>) is an email that you as the GitHub > user > > have entered in as a verified email here: > > https://github.com/settings/emails > > > > > > If you go to this section on the GitHub site in settings: > > https://github.com/settings/emails you are able to add your own GPG key. > > Again, make sure the ID is one that GitHub has on file per above. > > > > > > The instructions for telling GitHub about your signing key are here: > > https://help.github.com/en/articles/telling-git-about-your-signing-key > > > > > > You then need to configure git to always sign your commits, which is > > easy, just follow this instruction. It took me all of 15 minutes to set > > this up. > > > > > > > > > https://medium.com/@rwbutler/signing-commits-using-gpg-on-macos-7210362d15 > > > > > > This is a really easy thing to setup and once you have done it, you can > > use the signing key to sign other contributors signing keys as Apache > likes > > everyone to create a web of trust around the project. > > > > > > I know not every project has this rule, but we, as a security project, > > have higher standards. > > > > > > VOTE: > > > > > > Motion: All committers committing code, and any non-committer code > > coming from any merge request, (OTHER THAN DEPENDENCIES) must be GPG > signed > > by a GitHub verified key. > > > > > > The vote will be open for at least 72 hours. > > > [ ] +1 Approve the motion to make mandatory GPG signing of git commits > > > [ ] +0 No opinion > > > [ ] -1 Do not Approve > > > > > > If you vote not to approve, please state why. Or, start a discussion on > > why we shouldn’t do this given the upsides and low barrier for anyone to > > setup. > > > > > > Thanks > > > Brian > > > > > > > > -- > > Life is a chess game - Anonymous. > > > > > > -- > > Life is a chess game - Anonymous. > > >
