Thanks Bryan for the heads up. My GPG key had been expired. I've renewed my KEY by extending expiration. Now I confirmed that my commits is marked as 'verified' on Github.
Koji On Wed, Jun 12, 2019 at 5:43 AM Andy LoPresto <[email protected]> wrote: > > Peter, > > If you have specific issues setting it up, I’m happy to help debug. I haven’t > done it recently but am willing to investigate with you. > > Andy LoPresto > [email protected] > [email protected] > PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69 > > > On Jun 11, 2019, at 12:55 PM, Bryan Bende <[email protected]> wrote: > > > > I will admit I've never setup GPG signing on Linux. I'm sure there are > > some additional challenges there. > > > > Not sure if it is helpful, but there are a few things related to Linux > > that are mentioned on this Github page: > > > > https://help.github.com/en/articles/telling-git-about-your-signing-key > > > > > > On Tue, Jun 11, 2019 at 3:45 PM Kevin Doran <[email protected]> wrote: > >> > >> Yep, I support these suggestions. > >> > >> Setting up GPG does have a learning curve for folks that haven't done > >> it before, but I think our community would be helpful in assisting > >> folks on the mailing list and Apache NiFi Slack where they run into > >> trouble. It's a good practice to learn and once setup there's not much > >> more to do to get the benefits of it. > >> > >> Setting up GPG is also required when acting as release manager in > >> order to sign convenience binaries (and soon, as Andy brought up, > >> maven release artifacts as well - I think that is also a good idea), > >> so the effort required to get setup for GPG has lots of benefits for > >> folks that are interested in RM'ing as well. > >> > >> Kevin > >> > >> On Tue, Jun 11, 2019 at 3:30 PM Peter Wicks (pwicks) <[email protected]> > >> wrote: > >>> > >>> I like having signed commits. I develop on both Windows and Linux, but > >>> have only had success getting signing working on Windows (which was a bit > >>> complicated as it was). You can see when I switched from mostly Windows > >>> to mostly Linux by when I stopped signing commits... > >>> > >>> Thanks, > >>> Peter > >>> > >>> -----Original Message----- > >>> From: Andy LoPresto <[email protected]> > >>> Sent: Tuesday, June 11, 2019 1:25 PM > >>> To: [email protected] > >>> Subject: [EXT] Re: GitHub Stuff > >>> > >>> I strongly support both of these suggestions. Thanks for starting the > >>> conversation Bryan. GPG signing is very important for security and for > >>> encouraging the rest of the community to adopt these practices as well. > >>> > >>> > >>> Andy LoPresto > >>> [email protected] > >>> [email protected] > >>> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69 > >>> > >>>> On Jun 11, 2019, at 11:42 AM, Bryan Bende <[email protected]> wrote: > >>>> > >>>> I had two thoughts related to our GitHub usage that I wanted to throw > >>>> out there for PMC members and committers... > >>>> > >>>> 1) I think it would be helpful if everyone setup the link between > >>>> their Apache id and github [1]. Setting up this link puts you into the > >>>> nifi-committers group in Apache (currently 17 of us are in there), and > >>>> I believe this is what controls the list of users that can be selected > >>>> as a reviewer on a pull request. Since PRs are the primary form of > >>>> contribution, it would be nice if all of the PMC/committers were in > >>>> the reviewer list, but of course you can continue to commit against > >>>> Gitbox without doing this. > >>>> > >>>> 2) I also think it would be nice if most of the commits in the repo > >>>> were signed commits that show up as "Verified" in GitHub [2]. Right > >>>> now I think we lose the verification if the user reviewing the commit > >>>> doesn't have signing setup, because when you amend the commit to add > >>>> "This closes ...", it technically produces a new commit hash, thus > >>>> making the original signature no longer apply (at least this is what I > >>>> think is happening, but other may know more). > >>>> > >>>> These are obviously just my opinions and no one has to do these > >>>> things, but just thought I would throw it out there for discussion in > >>>> case anyone wasn't aware. > >>>> > >>>> -Bryan > >>>> > >>>> [1] > >>>> https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgitb > >>>> ox.apache.org%2Fsetup%2F&data=02%7C01%7Cpwicks%40micron.com%7Cc2f2 > >>>> 0a00f6424597c10708d6eea27d65%7Cf38a5ecd28134862b11bac1d563c806f%7C0%7C > >>>> 0%7C636958778999592924&sdata=mJ59FD6KSYn1jXHN0yRRagKf6BHdWn7N1ZXmV > >>>> 4BtBi8%3D&reserved=0 [2] > >>>> https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fhelp > >>>> .github.com%2Fen%2Farticles%2Fsigning-commits&data=02%7C01%7Cpwick > >>>> s%40micron.com%7Cc2f20a00f6424597c10708d6eea27d65%7Cf38a5ecd28134862b1 > >>>> 1bac1d563c806f%7C0%7C0%7C636958778999592924&sdata=%2BiByT0SfcxSsoL > >>>> XgS4VFLI1DTBn9BW3vD1iPvCCqRSI%3D&reserved=0 > >>> >
