Thanks Steve for starting the discussion.
Now I commit and cherry-pick patches with the -S option and have not
faced any problems.
-Akira
On 2017/02/24 20:36, Steve Loughran wrote:
For the next few days I'm experimenting with the -S option on signing commits,
which tells git to ask gpg to sign the commit, which will then somehow get the
little yubikey plugged into my laptop to do the signing
Because I've uploaded the public bit of the key to my github repo, Github can
authenticate that it really was me doing the commit
https://github.com/apache/hadoop/commit/9c22a91662af24569191ce45289ef8266e8755cc
and, if i'm trusted in your keyring, a git log --show-signature
git log --show-signature 9c22a91662
commit 9c22a91662af24569191ce45289ef8266e8755cc
gpg: Signature made Fri 24 Feb 10:41:40 2017 GMT
gpg: using RSA key 950CC3E032B79CA2
gpg: Good signature from "Steve Loughran
<ste...@apache.org<mailto:ste...@apache.org>>" [ultimate]
Author: Steve Loughran <ste...@apache.org<mailto:ste...@apache.org>>
Date: Fri Feb 24 10:41:36 2017 +0000
HADOOP-14114 S3A can no longer handle unencoded + in URIs. Contributed by
Sean Mackrory.
(cherry picked from commit ff87ca84418a710c6dc884fe8c70947fcc6489d5)
You ca also use GPG to sign a tag, then use git verify-tag to check the
signature; this stops anyone being able to silently move a tag: you can move a
tag, but then it's signature is invalid
Will it help make our code and development process more secure? Not really, not
if our build depends on pulling down artfacts from random places with an MD5 or
SHA1 validation *at best*. And signing patches doesn't magically make the code
inside secure. But it does at least add some chain of provenance to who
actually put stuff in, rather than the logged committer of any patch being
whoever that user chose to declare themselves to be.
I'm only doing this for the never-rebased branches, and of course when
something gets cherry picked, the signature becomes invalid. I'll decide after
a week or two whether its a viable process. The opinions/experience of others
would be useful here
-Steve
ps, key in question:
https://pgp.mit.edu/pks/lookup?op=get&search=0x950CC3E032B79CA2
---------------------------------------------------------------------
To unsubscribe, e-mail: common-dev-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-dev-h...@hadoop.apache.org