Will, we only need to be sure about the key's of committers. Only merge commits we need to be sure of the signature and the merger needs to be verify the code. He can not assure that the origin of the code is authentic but he can at least assure that the code is unchanged since contribution when it is signed. I don't think we need more.
On Wed, Apr 6, 2016 at 4:33 PM, Will Stevens <wstev...@cloudops.com> wrote: > Ok, that is half. But how do we verify that a Github user has a GPG key > that is matching what is registered in the ASF? Just because you have a > GPG key does not mean you are an ASF committer, so the check would have to > be made to verify the GPG is registered to an ASF committer before they > would be allowed to actually commit via Github. How would this be resolved? > > *Will STEVENS* > Lead Developer > > *CloudOps* *| *Cloud Solutions Experts > 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6 > w cloudops.com *|* tw @CloudOps_ > > On Wed, Apr 6, 2016 at 10:09 AM, Rafael Weingärtner < > rafaelweingart...@gmail.com> wrote: > >> There is a way to do that. When you become a committer, you can register a >> key at [1], then that key (public key) is loaded to [2]. The key is >> associated with the committer’s login. For instance, this is my public key >> [3]. >> >> [1] id.apache.org >> [2] https://people.apache.org/keys/committer/ >> [3] https://people.apache.org/keys/committer/rafael.asc >> >> >> On Wed, Apr 6, 2016 at 11:04 AM, Will Stevens <wstev...@cloudops.com> >> wrote: >> >> > I don't think it is quite this simple. There would have to be a way for >> > the GPG key to be associated with a specific ASF identity and I don't >> think >> > that is in place at this time. Also, there would have to be >> verification >> > that the person who is committing has a GPG key AND that they are a >> > committer in ASF and have an identity there. I think there are more >> moving >> > parts here than meet the eye, but we can definitely continue the >> discussion >> > and see where it can lead. >> > >> > *Will STEVENS* >> > Lead Developer >> > >> > *CloudOps* *| *Cloud Solutions Experts >> > 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6 >> > w cloudops.com *|* tw @CloudOps_ >> > >> > On Wed, Apr 6, 2016 at 5:00 AM, Wido den Hollander <w...@widodh.nl> >> wrote: >> > >> > > >> > > > Op 6 april 2016 om 10:50 schreef Daan Hoogland < >> > daan.hoogl...@gmail.com >> > > >: >> > > > >> > > > >> > > > Good reading for the Wednesday morning;) yes I think we need to go >> > there >> > > > and maybe even ask it of our contributors. >> > > > >> > > >> > > It might please the ASF since we can now prove who made the commit. >> If we >> > > ask >> > > all committers to upload their public key and sign their commits we >> can >> > > check >> > > this. >> > > >> > > For Pull Requests we can probably also add a hook/check which verifies >> > if a >> > > signature is present. >> > > >> > > Wido >> > > >> > > > On Wed, Apr 6, 2016 at 9:28 AM, Wido den Hollander <w...@widodh.nl> >> > > wrote: >> > > > >> > > > > Hi, >> > > > > >> > > > > Github just added [0] support for verifying GPG signatures of Git >> > > commits >> > > > > to the >> > > > > web interface. >> > > > > >> > > > > Under the settings page [1] you can now add your public GPG key so >> > > Github >> > > > > can >> > > > > verify it. >> > > > > >> > > > > It's rather simple: >> > > > > >> > > > > $ gpg --armor --export w...@widodh.nl >> > > > > >> > > > > That gave me my public key which I could export. >> > > > > >> > > > > Git already supports signing [2] commits with your key. >> > > > > >> > > > > This makes me wonder, is this something we want to enforce? To me >> it >> > > seems >> > > > > like >> > > > > a good thing to have. >> > > > > >> > > > > Wido >> > > > > >> > > > > [0]: https://github.com/blog/2144-gpg-signature-verification >> > > > > [1]: https://github.com/settings/keys >> > > > > [2]: https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work >> > > > > >> > > > >> > > > >> > > > >> > > > -- >> > > > Daan >> > > >> > >> >> >> >> -- >> Rafael Weingärtner >> > > -- Daan
