On Wed, Apr 6, 2016 at 5:37 PM, Rafael Weingärtner < rafaelweingart...@gmail.com> wrote:
> Sorry, but I did not understand. We do not have commit access to Github, > right? > I think we are talking about the new to be cloudstack organisation, right @Will? > > On Wed, Apr 6, 2016 at 12:35 PM, Daan Hoogland <daan.hoogl...@gmail.com> > wrote: > >> hm, no ;) We can control access to the organisation right? so we can >> close it for committers that don't have a valid key. We just need to think >> of a procedure for checking and registration. >> >> On Wed, Apr 6, 2016 at 5:33 PM, Will Stevens <wstev...@cloudops.com> >> wrote: >> >>> Yes, I agree with both of you. Maybe I am not being clear. My point is >>> only that we can't allow commit access on Github because then we can not >>> limit it to only valid committers who COULD commit. Is that clearer? >>> >>> *Will STEVENS* >>> Lead Developer >>> >>> *CloudOps* *| *Cloud Solutions Experts >>> 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6 >>> w cloudops.com *|* tw @CloudOps_ >>> >>> On Wed, Apr 6, 2016 at 11:07 AM, Rafael Weingärtner < >>> rafaelweingart...@gmail.com> wrote: >>> >>> > I agree with Daan. >>> > >>> > On Wed, Apr 6, 2016 at 11:42 AM, Daan Hoogland < >>> daan.hoogl...@gmail.com> >>> > wrote: >>> > >>> >> Will, we only need to be sure about the key's of committers. Only >>> merge >>> >> commits we need to be sure of the signature and the merger needs to be >>> >> verify the code. He can not assure that the origin of the code is >>> >> authentic >>> >> but he can at least assure that the code is unchanged since >>> contribution >>> >> when it is signed. I don't think we need more. >>> >> >>> >> On Wed, Apr 6, 2016 at 4:33 PM, Will Stevens <wstev...@cloudops.com> >>> >> wrote: >>> >> >>> >> > Ok, that is half. But how do we verify that a Github user has a >>> GPG key >>> >> > that is matching what is registered in the ASF? Just because you >>> have a >>> >> > GPG key does not mean you are an ASF committer, so the check would >>> have >>> >> to >>> >> > be made to verify the GPG is registered to an ASF committer before >>> they >>> >> > would be allowed to actually commit via Github. How would this be >>> >> resolved? >>> >> > >>> >> > *Will STEVENS* >>> >> > Lead Developer >>> >> > >>> >> > *CloudOps* *| *Cloud Solutions Experts >>> >> > 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6 >>> >> > w cloudops.com *|* tw @CloudOps_ >>> >> > >>> >> > On Wed, Apr 6, 2016 at 10:09 AM, Rafael Weingärtner < >>> >> > rafaelweingart...@gmail.com> wrote: >>> >> > >>> >> >> There is a way to do that. When you become a committer, you can >>> >> register a >>> >> >> key at [1], then that key (public key) is loaded to [2]. The key is >>> >> >> associated with the committer’s login. For instance, this is my >>> public >>> >> key >>> >> >> [3]. >>> >> >> >>> >> >> [1] id.apache.org >>> >> >> [2] https://people.apache.org/keys/committer/ >>> >> >> [3] https://people.apache.org/keys/committer/rafael.asc >>> >> >> >>> >> >> >>> >> >> On Wed, Apr 6, 2016 at 11:04 AM, Will Stevens < >>> wstev...@cloudops.com> >>> >> >> wrote: >>> >> >> >>> >> >> > I don't think it is quite this simple. There would have to be a >>> way >>> >> for >>> >> >> > the GPG key to be associated with a specific ASF identity and I >>> don't >>> >> >> think >>> >> >> > that is in place at this time. Also, there would have to be >>> >> >> verification >>> >> >> > that the person who is committing has a GPG key AND that they >>> are a >>> >> >> > committer in ASF and have an identity there. I think there are >>> more >>> >> >> moving >>> >> >> > parts here than meet the eye, but we can definitely continue the >>> >> >> discussion >>> >> >> > and see where it can lead. >>> >> >> > >>> >> >> > *Will STEVENS* >>> >> >> > Lead Developer >>> >> >> > >>> >> >> > *CloudOps* *| *Cloud Solutions Experts >>> >> >> > 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6 >>> >> >> > w cloudops.com *|* tw @CloudOps_ >>> >> >> > >>> >> >> > On Wed, Apr 6, 2016 at 5:00 AM, Wido den Hollander < >>> w...@widodh.nl> >>> >> >> wrote: >>> >> >> > >>> >> >> > > >>> >> >> > > > Op 6 april 2016 om 10:50 schreef Daan Hoogland < >>> >> >> > daan.hoogl...@gmail.com >>> >> >> > > >: >>> >> >> > > > >>> >> >> > > > >>> >> >> > > > Good reading for the Wednesday morning;) yes I think we need >>> to >>> >> go >>> >> >> > there >>> >> >> > > > and maybe even ask it of our contributors. >>> >> >> > > > >>> >> >> > > >>> >> >> > > It might please the ASF since we can now prove who made the >>> commit. >>> >> >> If we >>> >> >> > > ask >>> >> >> > > all committers to upload their public key and sign their >>> commits we >>> >> >> can >>> >> >> > > check >>> >> >> > > this. >>> >> >> > > >>> >> >> > > For Pull Requests we can probably also add a hook/check which >>> >> verifies >>> >> >> > if a >>> >> >> > > signature is present. >>> >> >> > > >>> >> >> > > Wido >>> >> >> > > >>> >> >> > > > On Wed, Apr 6, 2016 at 9:28 AM, Wido den Hollander < >>> >> w...@widodh.nl> >>> >> >> > > wrote: >>> >> >> > > > >>> >> >> > > > > Hi, >>> >> >> > > > > >>> >> >> > > > > Github just added [0] support for verifying GPG signatures >>> of >>> >> Git >>> >> >> > > commits >>> >> >> > > > > to the >>> >> >> > > > > web interface. >>> >> >> > > > > >>> >> >> > > > > Under the settings page [1] you can now add your public GPG >>> >> key so >>> >> >> > > Github >>> >> >> > > > > can >>> >> >> > > > > verify it. >>> >> >> > > > > >>> >> >> > > > > It's rather simple: >>> >> >> > > > > >>> >> >> > > > > $ gpg --armor --export w...@widodh.nl >>> >> >> > > > > >>> >> >> > > > > That gave me my public key which I could export. >>> >> >> > > > > >>> >> >> > > > > Git already supports signing [2] commits with your key. >>> >> >> > > > > >>> >> >> > > > > This makes me wonder, is this something we want to >>> enforce? To >>> >> me >>> >> >> it >>> >> >> > > seems >>> >> >> > > > > like >>> >> >> > > > > a good thing to have. >>> >> >> > > > > >>> >> >> > > > > Wido >>> >> >> > > > > >>> >> >> > > > > [0]: >>> https://github.com/blog/2144-gpg-signature-verification >>> >> >> > > > > [1]: https://github.com/settings/keys >>> >> >> > > > > [2]: >>> >> https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work >>> >> >> > > > > >>> >> >> > > > >>> >> >> > > > >>> >> >> > > > >>> >> >> > > > -- >>> >> >> > > > Daan >>> >> >> > > >>> >> >> > >>> >> >> >>> >> >> >>> >> >> >>> >> >> -- >>> >> >> Rafael Weingärtner >>> >> >> >>> >> > >>> >> > >>> >> >>> >> >>> >> -- >>> >> Daan >>> >> >>> > >>> > >>> > >>> > -- >>> > Rafael Weingärtner >>> > >>> >> >> >> >> -- >> Daan >> > > > > -- > Rafael Weingärtner > -- Daan