Sorry, but I did not understand. We do not have commit access to Github, right?
On Wed, Apr 6, 2016 at 12:35 PM, Daan Hoogland <[email protected]> wrote: > hm, no ;) We can control access to the organisation right? so we can close > it for committers that don't have a valid key. We just need to think of a > procedure for checking and registration. > > On Wed, Apr 6, 2016 at 5:33 PM, Will Stevens <[email protected]> > wrote: > >> Yes, I agree with both of you. Maybe I am not being clear. My point is >> only that we can't allow commit access on Github because then we can not >> limit it to only valid committers who COULD commit. Is that clearer? >> >> *Will STEVENS* >> Lead Developer >> >> *CloudOps* *| *Cloud Solutions Experts >> 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6 >> w cloudops.com *|* tw @CloudOps_ >> >> On Wed, Apr 6, 2016 at 11:07 AM, Rafael Weingärtner < >> [email protected]> wrote: >> >> > I agree with Daan. >> > >> > On Wed, Apr 6, 2016 at 11:42 AM, Daan Hoogland <[email protected] >> > >> > wrote: >> > >> >> Will, we only need to be sure about the key's of committers. Only merge >> >> commits we need to be sure of the signature and the merger needs to be >> >> verify the code. He can not assure that the origin of the code is >> >> authentic >> >> but he can at least assure that the code is unchanged since >> contribution >> >> when it is signed. I don't think we need more. >> >> >> >> On Wed, Apr 6, 2016 at 4:33 PM, Will Stevens <[email protected]> >> >> wrote: >> >> >> >> > Ok, that is half. But how do we verify that a Github user has a GPG >> key >> >> > that is matching what is registered in the ASF? Just because you >> have a >> >> > GPG key does not mean you are an ASF committer, so the check would >> have >> >> to >> >> > be made to verify the GPG is registered to an ASF committer before >> they >> >> > would be allowed to actually commit via Github. How would this be >> >> resolved? >> >> > >> >> > *Will STEVENS* >> >> > Lead Developer >> >> > >> >> > *CloudOps* *| *Cloud Solutions Experts >> >> > 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6 >> >> > w cloudops.com *|* tw @CloudOps_ >> >> > >> >> > On Wed, Apr 6, 2016 at 10:09 AM, Rafael Weingärtner < >> >> > [email protected]> wrote: >> >> > >> >> >> There is a way to do that. When you become a committer, you can >> >> register a >> >> >> key at [1], then that key (public key) is loaded to [2]. The key is >> >> >> associated with the committer’s login. For instance, this is my >> public >> >> key >> >> >> [3]. >> >> >> >> >> >> [1] id.apache.org >> >> >> [2] https://people.apache.org/keys/committer/ >> >> >> [3] https://people.apache.org/keys/committer/rafael.asc >> >> >> >> >> >> >> >> >> On Wed, Apr 6, 2016 at 11:04 AM, Will Stevens < >> [email protected]> >> >> >> wrote: >> >> >> >> >> >> > I don't think it is quite this simple. There would have to be a >> way >> >> for >> >> >> > the GPG key to be associated with a specific ASF identity and I >> don't >> >> >> think >> >> >> > that is in place at this time. Also, there would have to be >> >> >> verification >> >> >> > that the person who is committing has a GPG key AND that they are >> a >> >> >> > committer in ASF and have an identity there. I think there are >> more >> >> >> moving >> >> >> > parts here than meet the eye, but we can definitely continue the >> >> >> discussion >> >> >> > and see where it can lead. >> >> >> > >> >> >> > *Will STEVENS* >> >> >> > Lead Developer >> >> >> > >> >> >> > *CloudOps* *| *Cloud Solutions Experts >> >> >> > 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6 >> >> >> > w cloudops.com *|* tw @CloudOps_ >> >> >> > >> >> >> > On Wed, Apr 6, 2016 at 5:00 AM, Wido den Hollander < >> [email protected]> >> >> >> wrote: >> >> >> > >> >> >> > > >> >> >> > > > Op 6 april 2016 om 10:50 schreef Daan Hoogland < >> >> >> > [email protected] >> >> >> > > >: >> >> >> > > > >> >> >> > > > >> >> >> > > > Good reading for the Wednesday morning;) yes I think we need >> to >> >> go >> >> >> > there >> >> >> > > > and maybe even ask it of our contributors. >> >> >> > > > >> >> >> > > >> >> >> > > It might please the ASF since we can now prove who made the >> commit. >> >> >> If we >> >> >> > > ask >> >> >> > > all committers to upload their public key and sign their >> commits we >> >> >> can >> >> >> > > check >> >> >> > > this. >> >> >> > > >> >> >> > > For Pull Requests we can probably also add a hook/check which >> >> verifies >> >> >> > if a >> >> >> > > signature is present. >> >> >> > > >> >> >> > > Wido >> >> >> > > >> >> >> > > > On Wed, Apr 6, 2016 at 9:28 AM, Wido den Hollander < >> >> [email protected]> >> >> >> > > wrote: >> >> >> > > > >> >> >> > > > > Hi, >> >> >> > > > > >> >> >> > > > > Github just added [0] support for verifying GPG signatures >> of >> >> Git >> >> >> > > commits >> >> >> > > > > to the >> >> >> > > > > web interface. >> >> >> > > > > >> >> >> > > > > Under the settings page [1] you can now add your public GPG >> >> key so >> >> >> > > Github >> >> >> > > > > can >> >> >> > > > > verify it. >> >> >> > > > > >> >> >> > > > > It's rather simple: >> >> >> > > > > >> >> >> > > > > $ gpg --armor --export [email protected] >> >> >> > > > > >> >> >> > > > > That gave me my public key which I could export. >> >> >> > > > > >> >> >> > > > > Git already supports signing [2] commits with your key. >> >> >> > > > > >> >> >> > > > > This makes me wonder, is this something we want to enforce? >> To >> >> me >> >> >> it >> >> >> > > seems >> >> >> > > > > like >> >> >> > > > > a good thing to have. >> >> >> > > > > >> >> >> > > > > Wido >> >> >> > > > > >> >> >> > > > > [0]: >> https://github.com/blog/2144-gpg-signature-verification >> >> >> > > > > [1]: https://github.com/settings/keys >> >> >> > > > > [2]: >> >> https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work >> >> >> > > > > >> >> >> > > > >> >> >> > > > >> >> >> > > > >> >> >> > > > -- >> >> >> > > > Daan >> >> >> > > >> >> >> > >> >> >> >> >> >> >> >> >> >> >> >> -- >> >> >> Rafael Weingärtner >> >> >> >> >> > >> >> > >> >> >> >> >> >> -- >> >> Daan >> >> >> > >> > >> > >> > -- >> > Rafael Weingärtner >> > >> > > > > -- > Daan > -- Rafael Weingärtner
