Yep, I support these suggestions. Setting up GPG does have a learning curve for folks that haven't done it before, but I think our community would be helpful in assisting folks on the mailing list and Apache NiFi Slack where they run into trouble. It's a good practice to learn and once setup there's not much more to do to get the benefits of it.
Setting up GPG is also required when acting as release manager in order to sign convenience binaries (and soon, as Andy brought up, maven release artifacts as well - I think that is also a good idea), so the effort required to get setup for GPG has lots of benefits for folks that are interested in RM'ing as well. Kevin On Tue, Jun 11, 2019 at 3:30 PM Peter Wicks (pwicks) <pwi...@micron.com> wrote: > > I like having signed commits. I develop on both Windows and Linux, but have > only had success getting signing working on Windows (which was a bit > complicated as it was). You can see when I switched from mostly Windows to > mostly Linux by when I stopped signing commits... > > Thanks, > Peter > > -----Original Message----- > From: Andy LoPresto <alopre...@apache.org> > Sent: Tuesday, June 11, 2019 1:25 PM > To: dev@nifi.apache.org > Subject: [EXT] Re: GitHub Stuff > > I strongly support both of these suggestions. Thanks for starting the > conversation Bryan. GPG signing is very important for security and for > encouraging the rest of the community to adopt these practices as well. > > > Andy LoPresto > alopre...@apache.org > alopresto.apa...@gmail.com > PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69 > > > On Jun 11, 2019, at 11:42 AM, Bryan Bende <bbe...@gmail.com> wrote: > > > > I had two thoughts related to our GitHub usage that I wanted to throw > > out there for PMC members and committers... > > > > 1) I think it would be helpful if everyone setup the link between > > their Apache id and github [1]. Setting up this link puts you into the > > nifi-committers group in Apache (currently 17 of us are in there), and > > I believe this is what controls the list of users that can be selected > > as a reviewer on a pull request. Since PRs are the primary form of > > contribution, it would be nice if all of the PMC/committers were in > > the reviewer list, but of course you can continue to commit against > > Gitbox without doing this. > > > > 2) I also think it would be nice if most of the commits in the repo > > were signed commits that show up as "Verified" in GitHub [2]. Right > > now I think we lose the verification if the user reviewing the commit > > doesn't have signing setup, because when you amend the commit to add > > "This closes ...", it technically produces a new commit hash, thus > > making the original signature no longer apply (at least this is what I > > think is happening, but other may know more). > > > > These are obviously just my opinions and no one has to do these > > things, but just thought I would throw it out there for discussion in > > case anyone wasn't aware. > > > > -Bryan > > > > [1] > > https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgitb > > ox.apache.org%2Fsetup%2F&data=02%7C01%7Cpwicks%40micron.com%7Cc2f2 > > 0a00f6424597c10708d6eea27d65%7Cf38a5ecd28134862b11bac1d563c806f%7C0%7C > > 0%7C636958778999592924&sdata=mJ59FD6KSYn1jXHN0yRRagKf6BHdWn7N1ZXmV > > 4BtBi8%3D&reserved=0 [2] > > https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fhelp > > .github.com%2Fen%2Farticles%2Fsigning-commits&data=02%7C01%7Cpwick > > s%40micron.com%7Cc2f20a00f6424597c10708d6eea27d65%7Cf38a5ecd28134862b1 > > 1bac1d563c806f%7C0%7C0%7C636958778999592924&sdata=%2BiByT0SfcxSsoL > > XgS4VFLI1DTBn9BW3vD1iPvCCqRSI%3D&reserved=0 >
