Re: GPG signing commits on Github

Ok cool. I was jumping to conclusions. :P My bad... *Will STEVENS* Lead Developer *CloudOps* *| *Cloud Solutions Experts 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6 w cloudops.com *|* tw @CloudOps_ On Wed, Apr 6, 2016 at 5:08 PM, Wido den Hollander wrote: > > > Op 6

Re: GPG signing commits on Github

> Op 6 april 2016 om 19:16 schreef Will Stevens : > > > yes, for now. this is something I want to work towards, but we have to be > patent and go one step at a time. > Yes. I never meant this to be implemented right now. For me it seemed like a good thing so that we

Re: GPG signing commits on Github

yes, for now. this is something I want to work towards, but we have to be patent and go one step at a time. *Will STEVENS* Lead Developer *CloudOps* *| *Cloud Solutions Experts 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6 w cloudops.com *|* tw @CloudOps_ On Wed, Apr 6, 2016 at 1:06 PM, Daan

Re: GPG signing commits on Github

On Wed, Apr 6, 2016 at 6:58 PM, Will Stevens wrote: > but we have to work with the ASF ​so we can not go there tomorrow but maybe the day after. Both we and the foundation​ want signed commits so in the end we can be using github for this as well. As long as there is no

Re: GPG signing commits on Github

I am just trying to make sure we are all clear on what we are trying to achieve. No, we do not have committer access via Github, and in order for us to be able to make the move the 'apache-cloudstack' org, we will need to keep it that way (at least for now). I am still working on getting this to

Re: GPG signing commits on Github

Ah, ok I had forgotten that, my bad. On Wed, Apr 6, 2016 at 12:39 PM, Daan Hoogland wrote: > On Wed, Apr 6, 2016 at 5:37 PM, Rafael Weingärtner < > rafaelweingart...@gmail.com> wrote: > >> Sorry, but I did not understand. We do not have commit access to Github, >>

Re: GPG signing commits on Github

On Wed, Apr 6, 2016 at 5:37 PM, Rafael Weingärtner < rafaelweingart...@gmail.com> wrote: > Sorry, but I did not understand. We do not have commit access to Github, > right? > ​I think we are talking about the new to be cloudstack organisation, right @Will? ​ > > On Wed, Apr 6, 2016 at 12:35

Re: GPG signing commits on Github

Sorry, but I did not understand. We do not have commit access to Github, right? On Wed, Apr 6, 2016 at 12:35 PM, Daan Hoogland wrote: > hm, no ;) We can control access to the organisation right? so we can close > it for committers that don't have a valid key. We just

Re: GPG signing commits on Github

hm, no ;) We can control access to the organisation right? so we can close it for committers that don't have a valid key. We just need to think of a procedure for checking and registration. On Wed, Apr 6, 2016 at 5:33 PM, Will Stevens wrote: > Yes, I agree with both of

Re: GPG signing commits on Github

Yes, I agree with both of you. Maybe I am not being clear. My point is only that we can't allow commit access on Github because then we can not limit it to only valid committers who COULD commit. Is that clearer? *Will STEVENS* Lead Developer *CloudOps* *| *Cloud Solutions Experts 420 rue Guy

Re: GPG signing commits on Github

I agree with Daan. On Wed, Apr 6, 2016 at 11:42 AM, Daan Hoogland wrote: > Will, we only need to be sure about the key's of committers. Only merge > commits we need to be sure of the signature and the merger needs to be > verify the code. He can not assure that the

Re: GPG signing commits on Github

Will, we only need to be sure about the key's of committers. Only merge commits we need to be sure of the signature and the merger needs to be verify the code. He can not assure that the origin of the code is authentic but he can at least assure that the code is unchanged since contribution when

Re: GPG signing commits on Github

Ok, that is half. But how do we verify that a Github user has a GPG key that is matching what is registered in the ASF? Just because you have a GPG key does not mean you are an ASF committer, so the check would have to be made to verify the GPG is registered to an ASF committer before they would

Re: GPG signing commits on Github

There is a way to do that. When you become a committer, you can register a key at [1], then that key (public key) is loaded to [2]. The key is associated with the committer’s login. For instance, this is my public key [3]. [1] id.apache.org [2] https://people.apache.org/keys/committer/ [3]

Re: GPG signing commits on Github

I don't think it is quite this simple. There would have to be a way for the GPG key to be associated with a specific ASF identity and I don't think that is in place at this time. Also, there would have to be verification that the person who is committing has a GPG key AND that they are a

Re: GPG signing commits on Github

On Wed, Apr 6, 2016 at 11:00 AM, Wido den Hollander wrote: > > > Op 6 april 2016 om 10:50 schreef Daan Hoogland >: > > > > > > Good reading for the Wednesday morning;) yes I think we need to go there > > and maybe even ask it of our contributors. > > >

Re: GPG signing commits on Github

> Op 6 april 2016 om 10:50 schreef Daan Hoogland : > > > Good reading for the Wednesday morning;) yes I think we need to go there > and maybe even ask it of our contributors. > It might please the ASF since we can now prove who made the commit. If we ask all

Re: GPG signing commits on Github

Good reading for the Wednesday morning;) yes I think we need to go there and maybe even ask it of our contributors. On Wed, Apr 6, 2016 at 9:28 AM, Wido den Hollander wrote: > Hi, > > Github just added [0] support for verifying GPG signatures of Git commits > to the > web

GPG signing commits on Github

Hi, Github just added [0] support for verifying GPG signatures of Git commits to the web interface. Under the settings page [1] you can now add your public GPG key so Github can verify it. It's rather simple: $ gpg --armor --export w...@widodh.nl That gave me my public key which I could