Thanks for the heads up Matt! Have done it. On Fri, Apr 15, 2022 at 8:37 PM Matt Sicker <boa...@gmail.com> wrote:
> Volkan, if you'd like to continue using git commit sigs, you should > also upload your public GPG key to your GitHub account so that it can > verify your commits, too. Otherwise, GitHub doesn't exactly import GPG > keys from the public web of trust; they only use GPG keys you specify > in your profile (whereas they do support X.509 keys when certified by > a public CA, but this feature seems a lot more recent than the GPG > support). > > On Fri, Apr 15, 2022 at 8:25 AM Volkan Yazıcı <vol...@yazi.ci> wrote: > > > > I couldn't introduce branch protection (aka. RTC review-then-commit) > since > > Gary was strongly against it. It was just me, Matt, and Carter supporting > > the idea; Ralph was also sort of against it. You can search the archives > > for details. > > > > I couldn't even introduce commit signatures. Sigh... > > > > On Fri, Apr 15, 2022 at 5:34 AM Remko Popma <remko.po...@gmail.com> > wrote: > > > > > I remember we discussed changing our development process to use PRs > instead > > > of committing directly to the release branches. > > > This was part of trying to increase our security score, especially the > > > Branch Protection part > > > in scorecard ( > https://github.com/ossf/scorecard/blob/main/docs/checks.md). > > > > > > Questions: > > > * how many approvals did we agree on before a PR can be merged? > > > * if a PR is merged into release-2.x, can it be cherry-picked onto 3.0 > > > directly, or does the change to the 3.0 branch need a separate PR? > > > * what to do with the updates to changes.xml? Does that need to be > included > > > in the PRs? > > > >