hm, no ;) We can control access to the organisation right? so we can close it for committers that don't have a valid key. We just need to think of a procedure for checking and registration.
On Wed, Apr 6, 2016 at 5:33 PM, Will Stevens <wstev...@cloudops.com> wrote: > Yes, I agree with both of you. Maybe I am not being clear. My point is > only that we can't allow commit access on Github because then we can not > limit it to only valid committers who COULD commit. Is that clearer? > > *Will STEVENS* > Lead Developer > > *CloudOps* *| *Cloud Solutions Experts > 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6 > w cloudops.com *|* tw @CloudOps_ > > On Wed, Apr 6, 2016 at 11:07 AM, Rafael Weingärtner < > rafaelweingart...@gmail.com> wrote: > > > I agree with Daan. > > > > On Wed, Apr 6, 2016 at 11:42 AM, Daan Hoogland <daan.hoogl...@gmail.com> > > wrote: > > > >> Will, we only need to be sure about the key's of committers. Only merge > >> commits we need to be sure of the signature and the merger needs to be > >> verify the code. He can not assure that the origin of the code is > >> authentic > >> but he can at least assure that the code is unchanged since contribution > >> when it is signed. I don't think we need more. > >> > >> On Wed, Apr 6, 2016 at 4:33 PM, Will Stevens <wstev...@cloudops.com> > >> wrote: > >> > >> > Ok, that is half. But how do we verify that a Github user has a GPG > key > >> > that is matching what is registered in the ASF? Just because you > have a > >> > GPG key does not mean you are an ASF committer, so the check would > have > >> to > >> > be made to verify the GPG is registered to an ASF committer before > they > >> > would be allowed to actually commit via Github. How would this be > >> resolved? > >> > > >> > *Will STEVENS* > >> > Lead Developer > >> > > >> > *CloudOps* *| *Cloud Solutions Experts > >> > 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6 > >> > w cloudops.com *|* tw @CloudOps_ > >> > > >> > On Wed, Apr 6, 2016 at 10:09 AM, Rafael Weingärtner < > >> > rafaelweingart...@gmail.com> wrote: > >> > > >> >> There is a way to do that. When you become a committer, you can > >> register a > >> >> key at [1], then that key (public key) is loaded to [2]. The key is > >> >> associated with the committer’s login. For instance, this is my > public > >> key > >> >> [3]. > >> >> > >> >> [1] id.apache.org > >> >> [2] https://people.apache.org/keys/committer/ > >> >> [3] https://people.apache.org/keys/committer/rafael.asc > >> >> > >> >> > >> >> On Wed, Apr 6, 2016 at 11:04 AM, Will Stevens <wstev...@cloudops.com > > > >> >> wrote: > >> >> > >> >> > I don't think it is quite this simple. There would have to be a > way > >> for > >> >> > the GPG key to be associated with a specific ASF identity and I > don't > >> >> think > >> >> > that is in place at this time. Also, there would have to be > >> >> verification > >> >> > that the person who is committing has a GPG key AND that they are a > >> >> > committer in ASF and have an identity there. I think there are > more > >> >> moving > >> >> > parts here than meet the eye, but we can definitely continue the > >> >> discussion > >> >> > and see where it can lead. > >> >> > > >> >> > *Will STEVENS* > >> >> > Lead Developer > >> >> > > >> >> > *CloudOps* *| *Cloud Solutions Experts > >> >> > 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6 > >> >> > w cloudops.com *|* tw @CloudOps_ > >> >> > > >> >> > On Wed, Apr 6, 2016 at 5:00 AM, Wido den Hollander <w...@widodh.nl > > > >> >> wrote: > >> >> > > >> >> > > > >> >> > > > Op 6 april 2016 om 10:50 schreef Daan Hoogland < > >> >> > daan.hoogl...@gmail.com > >> >> > > >: > >> >> > > > > >> >> > > > > >> >> > > > Good reading for the Wednesday morning;) yes I think we need to > >> go > >> >> > there > >> >> > > > and maybe even ask it of our contributors. > >> >> > > > > >> >> > > > >> >> > > It might please the ASF since we can now prove who made the > commit. > >> >> If we > >> >> > > ask > >> >> > > all committers to upload their public key and sign their commits > we > >> >> can > >> >> > > check > >> >> > > this. > >> >> > > > >> >> > > For Pull Requests we can probably also add a hook/check which > >> verifies > >> >> > if a > >> >> > > signature is present. > >> >> > > > >> >> > > Wido > >> >> > > > >> >> > > > On Wed, Apr 6, 2016 at 9:28 AM, Wido den Hollander < > >> w...@widodh.nl> > >> >> > > wrote: > >> >> > > > > >> >> > > > > Hi, > >> >> > > > > > >> >> > > > > Github just added [0] support for verifying GPG signatures of > >> Git > >> >> > > commits > >> >> > > > > to the > >> >> > > > > web interface. > >> >> > > > > > >> >> > > > > Under the settings page [1] you can now add your public GPG > >> key so > >> >> > > Github > >> >> > > > > can > >> >> > > > > verify it. > >> >> > > > > > >> >> > > > > It's rather simple: > >> >> > > > > > >> >> > > > > $ gpg --armor --export w...@widodh.nl > >> >> > > > > > >> >> > > > > That gave me my public key which I could export. > >> >> > > > > > >> >> > > > > Git already supports signing [2] commits with your key. > >> >> > > > > > >> >> > > > > This makes me wonder, is this something we want to enforce? > To > >> me > >> >> it > >> >> > > seems > >> >> > > > > like > >> >> > > > > a good thing to have. > >> >> > > > > > >> >> > > > > Wido > >> >> > > > > > >> >> > > > > [0]: https://github.com/blog/2144-gpg-signature-verification > >> >> > > > > [1]: https://github.com/settings/keys > >> >> > > > > [2]: > >> https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work > >> >> > > > > > >> >> > > > > >> >> > > > > >> >> > > > > >> >> > > > -- > >> >> > > > Daan > >> >> > > > >> >> > > >> >> > >> >> > >> >> > >> >> -- > >> >> Rafael Weingärtner > >> >> > >> > > >> > > >> > >> > >> -- > >> Daan > >> > > > > > > > > -- > > Rafael Weingärtner > > > -- Daan