I strongly support both of these suggestions. Thanks for starting the conversation Bryan. GPG signing is very important for security and for encouraging the rest of the community to adopt these practices as well.
Andy LoPresto alopre...@apache.org alopresto.apa...@gmail.com PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69 > On Jun 11, 2019, at 11:42 AM, Bryan Bende <bbe...@gmail.com> wrote: > > I had two thoughts related to our GitHub usage that I wanted to throw > out there for PMC members and committers... > > 1) I think it would be helpful if everyone setup the link between > their Apache id and github [1]. Setting up this link puts you into the > nifi-committers group in Apache (currently 17 of us are in there), and > I believe this is what controls the list of users that can be selected > as a reviewer on a pull request. Since PRs are the primary form of > contribution, it would be nice if all of the PMC/committers were in > the reviewer list, but of course you can continue to commit against > Gitbox without doing this. > > 2) I also think it would be nice if most of the commits in the repo > were signed commits that show up as "Verified" in GitHub [2]. Right > now I think we lose the verification if the user reviewing the commit > doesn't have signing setup, because when you amend the commit to add > "This closes ...", it technically produces a new commit hash, thus > making the original signature no longer apply (at least this is what I > think is happening, but other may know more). > > These are obviously just my opinions and no one has to do these > things, but just thought I would throw it out there for discussion in > case anyone wasn't aware. > > -Bryan > > [1] https://gitbox.apache.org/setup/ > [2] https://help.github.com/en/articles/signing-commits
