Re: [Mailman-Developers] Signing commits with gpg

[Stephen J. Turnbull]

Mark Sapiro writes:

 > where linus argues that "Signing each commit is totally stupid." and
 > that you should sign tags but not commits.

I agree with Linus that signing all commits is probably unnecessary
because of the SHA1 chain, but I disagree with signing only tags.  I
think that the theoretical sweet spot is signing merge commits (or
branch head in case of a fast-forward) at push time.

But pragmatically that's too annoying (requires user decision AFAIK,
easy to omit, etc), so autosigning every commit FTW IMHO.

Steve


___
Mailman-Developers mailing list
Mailman-Developers@python.org
https://mail.python.org/mailman/listinfo/mailman-developers
Mailman FAQ: http://wiki.list.org/x/AgA3
Searchable Archives: 
http://www.mail-archive.com/mailman-developers%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-developers/archive%40jab.org

Security Policy: http://wiki.list.org/x/QIA9

Re: [Mailman-Developers] Signing commits with gpg

[Barry Warsaw]

On Oct 25, 2017, at 12:14, Simon Hanna  wrote:
> 
> I guess more important would be to sign the releases. At least archlinux 
> likes to have signatures for source archives and often requests upstream 
> projects to add this.

Definitely.  I (try to remember to) sign both tags and releases for Core.

> Another thing that just came to mind: how does commit squashing work? You'll 
> probably have to do that offline and not use gitlabs autosmashing…

I would think that squash merges would destroy the record of any intermediate 
signed commits.  Core doesn’t have a firm policy either way; sometimes I squash 
merge sometimes not.  I’m philosophical   opposed to squash merging, but git 
often really makes me want to do it anyway.

-Barry



signature.asc
Description: Message signed with OpenPGP
___
Mailman-Developers mailing list
Mailman-Developers@python.org
https://mail.python.org/mailman/listinfo/mailman-developers
Mailman FAQ: http://wiki.list.org/x/AgA3
Searchable Archives: 
http://www.mail-archive.com/mailman-developers%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-developers/archive%40jab.org

Security Policy: http://wiki.list.org/x/QIA9

Re: [Mailman-Developers] Signing commits with gpg

[Simon Hanna]

I guess more important would be to sign the releases. At least archlinux likes 
to have signatures for source archives and often requests upstream projects to 
add this. 

For me as a user it would be more interesting to have a verified release signed 
by one key that's static rather than a commit history that is signed by many 
different keys that I don't know. 
I guess the single commit signature is more relevant to other developers, so we 
know who actually committed something. However, if all commits to the master 
branches come from merge requests, you already use gitlabs verification. It's 
not as good as gpg signatures, but in the end you have to trust gitlab to a 
certain degree anyway...

Another thing that just came to mind: how does commit squashing work? You'll 
probably have to do that offline and not use gitlabs autosmashing...

I don't have anything against it and I can also rather easily start doing that. 
(I will have to have my keychain nearby, as I don't have my keys stored on my 
machines...)
-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
___
Mailman-Developers mailing list
Mailman-Developers@python.org
https://mail.python.org/mailman/listinfo/mailman-developers
Mailman FAQ: http://wiki.list.org/x/AgA3
Searchable Archives: 
http://www.mail-archive.com/mailman-developers%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-developers/archive%40jab.org

Security Policy: http://wiki.list.org/x/QIA9

Re: [Mailman-Developers] Signing commits with gpg

[Barry Warsaw]

On Oct 24, 2017, at 18:56, Mark Sapiro  wrote:
> 
> I remember looking into signing commits when we first switched from bzr
> to git because I was used to signing all commits. At that time, it
> seemed controversial. See, e.g.,
> 
> where linus argues that "Signing each commit is totally stupid." and
> that you should sign tags but not commits.
> 
> I don't know enough about the internals of this to have an opinion, and
> as I said I will be signing my commits going forward, and the post I
> link to is over 8 years old and things might have changed, but there it
> is for what it's worth.

I’m not sure that any of the points Linus brings up in that thread have 
changed, but I’m also not sure how relevant they are to our workflow.  It’s 
interesting enough that Gitlab is now showing the verified tag for signed 
commits, although TBH, I’m also not sure how much that buys us in practice.  
Still, it’s easy enough to experiment with, so let’s do it and see if it has 
any practical impact on us, either pro or con.

-Barry



signature.asc
Description: Message signed with OpenPGP
___
Mailman-Developers mailing list
Mailman-Developers@python.org
https://mail.python.org/mailman/listinfo/mailman-developers
Mailman FAQ: http://wiki.list.org/x/AgA3
Searchable Archives: 
http://www.mail-archive.com/mailman-developers%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-developers/archive%40jab.org

Security Policy: http://wiki.list.org/x/QIA9

Re: [Mailman-Developers] Signing commits with gpg

[Mark Sapiro]

On 10/24/2017 02:18 PM, Barry Warsaw wrote:
> On Oct 24, 2017, at 16:52, Abhilash Raj  wrote:
>>
>> Gitlab now supports verification of commit signatures and it would be
>> awesome if we start signing commits. It is a relatively painless process
>> and happens automatically with little configuration.
> 
> Very cool that GL has enabled this!  Thanks for sending the recipe too.  I 
> definitely encourage folks (especially core devs) to start signing commits.


I have set my .gitconfig to automatically sign commits (I already had my
signingkey in the [user] section, but I didn't have [commit] gpgsign =
true which I now do).

I remember looking into signing commits when we first switched from bzr
to git because I was used to signing all commits. At that time, it
seemed controversial. See, e.g.,

where linus argues that "Signing each commit is totally stupid." and
that you should sign tags but not commits.

I don't know enough about the internals of this to have an opinion, and
as I said I will be signing my commits going forward, and the post I
link to is over 8 years old and things might have changed, but there it
is for what it's worth.

-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan



signature.asc
Description: OpenPGP digital signature
___
Mailman-Developers mailing list
Mailman-Developers@python.org
https://mail.python.org/mailman/listinfo/mailman-developers
Mailman FAQ: http://wiki.list.org/x/AgA3
Searchable Archives: 
http://www.mail-archive.com/mailman-developers%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-developers/archive%40jab.org

Security Policy: http://wiki.list.org/x/QIA9

Re: [Mailman-Developers] Signing commits with gpg

[Barry Warsaw]

On Oct 24, 2017, at 16:52, Abhilash Raj  wrote:
> 
> Gitlab now supports verification of commit signatures and it would be
> awesome if we start signing commits. It is a relatively painless process
> and happens automatically with little configuration.

Very cool that GL has enabled this!  Thanks for sending the recipe too.  I 
definitely encourage folks (especially core devs) to start signing commits.

Cheers,
-Barry



signature.asc
Description: Message signed with OpenPGP
___
Mailman-Developers mailing list
Mailman-Developers@python.org
https://mail.python.org/mailman/listinfo/mailman-developers
Mailman FAQ: http://wiki.list.org/x/AgA3
Searchable Archives: 
http://www.mail-archive.com/mailman-developers%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-developers/archive%40jab.org

Security Policy: http://wiki.list.org/x/QIA9

[Mailman-Developers] Signing commits with gpg

[Abhilash Raj]

Hi All,

Gitlab now supports verification of commit signatures and it would be
awesome if we start signing commits. It is a relatively painless process
and happens automatically with little configuration.

Spoofing authors in git is quite easy, actually provided as a command
line option (--author, --reset-author), and I believe it would be a good
practice to sign all the commits (even outside of Mailman).

Here are steps for how you can do that:

1. Add your public key to Gitlab (https://gitlab.com/profile/gpg_keys)

2. Commit with `-S` (capital S)

Here is the relevant section of `.gitconfig` to auto-sign every commit
you make (no need for step 2 if you do this):

```   
   [user]
name = Abhilash Raj
email = raj.abhila...@gmail.com
signingkey = 541EA0448453394FF77A0ECC9D9B2BA061D0A67C
   [commit]
gpgsign = true
```

Once you have pushed a signed commit to Gitlab and have uploaded your
gpg public key, you will see a green "Verified" button alongside every
commit. (See
https://gitlab.com/maxking/mailman/commits/msapiro/mailman-pending)

-- 
  Abhilash Raj
  maxk...@asynchronous.in
___
Mailman-Developers mailing list
Mailman-Developers@python.org
https://mail.python.org/mailman/listinfo/mailman-developers
Mailman FAQ: http://wiki.list.org/x/AgA3
Searchable Archives: 
http://www.mail-archive.com/mailman-developers%40python.org/
Unsubscribe: 
https://mail.python.org/mailman/options/mailman-developers/archive%40jab.org

Security Policy: http://wiki.list.org/x/QIA9