Hi Niclas, after reading so many emails on Git and code provenance (and maybe lost some email ...) I fear to introduce only a small complexity without too much gain ... anyway I think that we could try something, if not in main repository in zest-sandbox.
I have a Code Signing PGP key with my Apache ID that's still valid; to begin we could exchange our public key between us :-) . And then add to KEYS file in Zest source repository. My Key ID is: F9EDAF10 , note that's published at MIT Key Server (should be valid, please tell me if not because it's not clear); you can find it even here (two asc files but it's the same key): http://people.apache.org/~smartini/ I put here in attach here just for convenience. Niclas, your ? Paul and others ? Stay well. Bye, Sandro 2015-10-28 2:32 GMT+01:00 Niclas Hedhman <[email protected]>: > Hi, > There are some internal debate about how to ensure provenance in a Git and > GitHub world. I can't say how that discussion is going, but one idea that > surfaced, which we (the projects) can do regardless of the total outcome, > to improve code provenance is to sign our commits. > > I first note that IntelliJ doesn't support for commit signing directly. > > Secondly, http://mikegerwitz.com/papers/git-horror-story (I hope I typed > that correctly) is a must read. > > In that paper, I am specifically talking about Option #3 (as I doubt that > we (Zest) will get too many pull requests that are many commits long) > > This seems to be something that can be introduced incrementally and at slow > pace, which is something we like at Apache. Trust enforcement and all of > that can be done later, and perhaps other projects will lead the way... > > I would like to hear what people think about this... > > Cheers > Niclas > > P.S. I am now settled in, in Shanghai and just started to work on a new > Zest based app on my spare time, so activity should start to pick up again.
-----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v2.0.17 (MingW32) mQENBE5ScxYBCAC8B9CIHxb7rouKnmTJbJOzWCsjYAx9CTHxNYGYI4bbM7M/tyTh 73Rex5Af8UkBeZsFPRY0yXLtgWKFmqhtPaM9gAgvFZu/Fi/c30HsMW6SyuoMzXRF sYfe6ra+uanqf0STfMDjojNCDELbjfC+y4z1MFU/IyQUke6jnup6PFfAj9olsD8f bHNy/BU/J7iicOcqY+oWiCi71kNGAMx1Oh/iU5l0HPw3qDDz4dE9PO4k8dA0sPIH 0xcZuPzAAEhVxn5J+Z8uvZ1FoxceKviv5lXWm+5YejmyUdrWpGdWo+lKMgojznPB dV3YKazEuZLpDiPPDnEgg9C7EIrSJ1e+1WghABEBAAG0LVNhbmRybyBNYXJ0aW5p IC0gQXBhY2hlIDxzbWFydGluaUBhcGFjaGUub3JnPokBOAQTAQIAIgIbDwYLCQgH AwIGFQgCCQoLBBYCAwECHgECF4AFAk5lThsACgkQZF/YhvntrxD6fQf/XD21fimN UH95RumWDjeugmH86GdAYqYSkWneQbDnnEeFiigZjRxx5QeHMkbHt/QDnlgi2iG8 mrESq1cHpTIrFXQlyPa6pAoBsK78tPVKYI8fwY4nI3HkLWpdGY9KP66Ihl4WDt4V hGBBzv9XSBczHfJ5cKQp7Vxl6qZltBFk8qbKx4Lnf/WS936PLN6al6bi0h0CCCqM Znqc/la+nwnXcBa6reIYZi+6L3QQBBESWCMMYr7YkIQ5yFncmPsWsal+CZiqOQ29 UcH4B6gWVOqjfXsceF5mAvfdqVS7cgq/ltvW8UKMZHpFMuYIgtLMyIdi7dEAbpF3 DQQU6OVfDXFY9w== =PlP9 -----END PGP PUBLIC KEY BLOCK-----
