Re: Signing key repository

2024-02-18 Thread Craig Russell 
Hi Sebb(TEST)

> On Feb 18, 2024, at 16:18, sebb  wrote:
> 
> On Sun, 18 Feb 2024 at 23:46, sebbaz(Test)  > wrote:
>> 
>> On Sun, 18 Feb 2024 at 17:14, Craig Russell  wrote:
>>> 
>>> As you might have notices, we received an SGA signed with a GPG key. Whimsy 
>>> verified the key but as far as I can see, the filing process did not store 
>>> the key in the repository.
>> 
>> Note that all the sig checks are done in the same routine, which saves
>> the key if it was successfully imported.
>> 
>> It tried to save the SGA key, but failed; there was a problem with the
>> credentials (which I will try to fix).

I did notice that there was some permissions problem with the __keys__ 
directory but reloading the whimsy page seemed to fix it.
>> 
>> Was no error reported?

No error. It just seemed like the SGA code did not try to save the key. 
>> 
>>> Perhaps we should change the name of the key repository to reflect that any 
>>> of several documents might be signed, and change the code to store the key 
>>> if it is used to sign any of the documents.
>>> 
>> 
>> The __keys__ directory is currently under iclas; perhaps it should be
>> moved to the same level as the iclas, cclas and grants.

Yes, please.
> 
> Upon further checking, this would entail setting up a new entry SVN
> auth entry with the appropriate permissions; not sure it's worth it.

Thanks for checking. If it's not too much work, moving the __keys__ directory a 
level above would make sense to me.

Thanks,
Craig
> 
>>> WDYT?
>>> 
>>> Craig L Russell
>>> c...@apache.org 
Craig L Russell
c...@apache.org

Board agenda bug

2024-02-18 Thread Craig Russell 
If I change my name when adding a comment, my "approved by" name also changes.

The name on the comment should not change the "approved by" name.

WDYT?

Craig L Russell
c...@apache.org

Re: Signing key repository

2024-02-18 Thread sebb 
On Sun, 18 Feb 2024 at 23:46, sebbaz(Test)  wrote:
>
> On Sun, 18 Feb 2024 at 17:14, Craig Russell  wrote:
> >
> > As you might have notices, we received an SGA signed with a GPG key. Whimsy 
> > verified the key but as far as I can see, the filing process did not store 
> > the key in the repository.
>
> Note that all the sig checks are done in the same routine, which saves
> the key if it was successfully imported.
>
> It tried to save the SGA key, but failed; there was a problem with the
> credentials (which I will try to fix).
>
> Was no error reported?
>
> > Perhaps we should change the name of the key repository to reflect that any 
> > of several documents might be signed, and change the code to store the key 
> > if it is used to sign any of the documents.
> >
>
> The __keys__ directory is currently under iclas; perhaps it should be
> moved to the same level as the iclas, cclas and grants.

Upon further checking, this would entail setting up a new entry SVN
auth entry with the appropriate permissions; not sure it's worth it.

> > WDYT?
> >
> > Craig L Russell
> > c...@apache.org
> >

Re: Signing key repository

2024-02-18 Thread sebbaz(Test) 
On Sun, 18 Feb 2024 at 17:14, Craig Russell  wrote:
>
> As you might have notices, we received an SGA signed with a GPG key. Whimsy 
> verified the key but as far as I can see, the filing process did not store 
> the key in the repository.

Note that all the sig checks are done in the same routine, which saves
the key if it was successfully imported.

It tried to save the SGA key, but failed; there was a problem with the
credentials (which I will try to fix).

Was no error reported?

> Perhaps we should change the name of the key repository to reflect that any 
> of several documents might be signed, and change the code to store the key if 
> it is used to sign any of the documents.
>

The __keys__ directory is currently under iclas; perhaps it should be
moved to the same level as the iclas, cclas and grants.

> WDYT?
>
> Craig L Russell
> c...@apache.org
>

Re: Web site checks feature request

2024-02-18 Thread sebb 
On Sun, 18 Feb 2024 at 19:12, Craig Russell  wrote:
>
> I was just looking at the web site check tool and I've added a board 
> discussion about the hundreds of failures.

OK, but out of scope for Whimsy.

> I also clicked on one link
> https://whimsy.apache.org/site/project/aries
> and followed it to
> https://aries.apache.org/documentation/index.html
> and then to
> https://github.com/apache/aries-antora-site/edit/master/modules/ROOT/pages/index.adoc
>
> This repository must be forked in order to propose changes.

AFAICT that is normal. Only project committers can create branches in
ASF git repos, and PRs need branches.

> Here's what I think needs to be done:
> check for a link to the source code to the web site repository; if not, 
> yellow flag

Whimsy only checks the index page, which would imply that all websites
would need to link to the website repo (which might also be in SVN)
from the main index page.
It would be useful if every page had an Edit button, but that may not
be easy to do, depending on the website repo and build process.
I think it would be a mistake to make that mandatory.

> check that the repository is at least readable for the public

That is potentially possible to check, though I think it is unnecessary.
AFAICT Infra does not use any authn to fetch the websites for display,
so problems will be immediately apparent.

> and read/write for committers of that project; if not, yellow flag

I think that is out of scope for Whimsy.
In any case, if project committers cannot update the website I'm sure
they will complain.

> I also think that policy should mandate a link to the repository and 
> read/write access by project committers.

That is outside the scope of the Whimsy project.

> Craig L Russell
> c...@apache.org
>

Web site checks feature request

2024-02-18 Thread Craig Russell 
I was just looking at the web site check tool and I've added a board discussion 
about the hundreds of failures.

I also clicked on one link 
https://whimsy.apache.org/site/project/aries
and followed it to
https://aries.apache.org/documentation/index.html
and then to
https://github.com/apache/aries-antora-site/edit/master/modules/ROOT/pages/index.adoc

This repository must be forked in order to propose changes.

Here's what I think needs to be done:
check for a link to the source code to the web site repository; if not, yellow 
flag
check that the repository is at least readable for the public and read/write 
for committers of that project; if not, yellow flag

I also think that policy should mandate a link to the repository and read/write 
access by project committers.

Craig L Russell
c...@apache.org

Signing key repository

2024-02-18 Thread Craig Russell 
As you might have notices, we received an SGA signed with a GPG key. Whimsy 
verified the key but as far as I can see, the filing process did not store the 
key in the repository.

Perhaps we should change the name of the key repository to reflect that any of 
several documents might be signed, and change the code to store the key if it 
is used to sign any of the documents.

WDYT?

Craig L Russell
c...@apache.org