Ah, ok I had forgotten that, my bad. On Wed, Apr 6, 2016 at 12:39 PM, Daan Hoogland <[email protected]> wrote:
> On Wed, Apr 6, 2016 at 5:37 PM, Rafael Weingärtner < > [email protected]> wrote: > >> Sorry, but I did not understand. We do not have commit access to Github, >> right? >> > I think we are talking about the new to be cloudstack organisation, right > @Will? > > > > >> >> On Wed, Apr 6, 2016 at 12:35 PM, Daan Hoogland <[email protected]> >> wrote: >> >>> hm, no ;) We can control access to the organisation right? so we can >>> close it for committers that don't have a valid key. We just need to think >>> of a procedure for checking and registration. >>> >>> On Wed, Apr 6, 2016 at 5:33 PM, Will Stevens <[email protected]> >>> wrote: >>> >>>> Yes, I agree with both of you. Maybe I am not being clear. My point is >>>> only that we can't allow commit access on Github because then we can not >>>> limit it to only valid committers who COULD commit. Is that clearer? >>>> >>>> *Will STEVENS* >>>> Lead Developer >>>> >>>> *CloudOps* *| *Cloud Solutions Experts >>>> 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6 >>>> w cloudops.com *|* tw @CloudOps_ >>>> >>>> On Wed, Apr 6, 2016 at 11:07 AM, Rafael Weingärtner < >>>> [email protected]> wrote: >>>> >>>> > I agree with Daan. >>>> > >>>> > On Wed, Apr 6, 2016 at 11:42 AM, Daan Hoogland < >>>> [email protected]> >>>> > wrote: >>>> > >>>> >> Will, we only need to be sure about the key's of committers. Only >>>> merge >>>> >> commits we need to be sure of the signature and the merger needs to >>>> be >>>> >> verify the code. He can not assure that the origin of the code is >>>> >> authentic >>>> >> but he can at least assure that the code is unchanged since >>>> contribution >>>> >> when it is signed. I don't think we need more. >>>> >> >>>> >> On Wed, Apr 6, 2016 at 4:33 PM, Will Stevens <[email protected]> >>>> >> wrote: >>>> >> >>>> >> > Ok, that is half. But how do we verify that a Github user has a >>>> GPG key >>>> >> > that is matching what is registered in the ASF? Just because you >>>> have a >>>> >> > GPG key does not mean you are an ASF committer, so the check would >>>> have >>>> >> to >>>> >> > be made to verify the GPG is registered to an ASF committer before >>>> they >>>> >> > would be allowed to actually commit via Github. How would this be >>>> >> resolved? >>>> >> > >>>> >> > *Will STEVENS* >>>> >> > Lead Developer >>>> >> > >>>> >> > *CloudOps* *| *Cloud Solutions Experts >>>> >> > 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6 >>>> >> > w cloudops.com *|* tw @CloudOps_ >>>> >> > >>>> >> > On Wed, Apr 6, 2016 at 10:09 AM, Rafael Weingärtner < >>>> >> > [email protected]> wrote: >>>> >> > >>>> >> >> There is a way to do that. When you become a committer, you can >>>> >> register a >>>> >> >> key at [1], then that key (public key) is loaded to [2]. The key >>>> is >>>> >> >> associated with the committer’s login. For instance, this is my >>>> public >>>> >> key >>>> >> >> [3]. >>>> >> >> >>>> >> >> [1] id.apache.org >>>> >> >> [2] https://people.apache.org/keys/committer/ >>>> >> >> [3] https://people.apache.org/keys/committer/rafael.asc >>>> >> >> >>>> >> >> >>>> >> >> On Wed, Apr 6, 2016 at 11:04 AM, Will Stevens < >>>> [email protected]> >>>> >> >> wrote: >>>> >> >> >>>> >> >> > I don't think it is quite this simple. There would have to be >>>> a way >>>> >> for >>>> >> >> > the GPG key to be associated with a specific ASF identity and I >>>> don't >>>> >> >> think >>>> >> >> > that is in place at this time. Also, there would have to be >>>> >> >> verification >>>> >> >> > that the person who is committing has a GPG key AND that they >>>> are a >>>> >> >> > committer in ASF and have an identity there. I think there are >>>> more >>>> >> >> moving >>>> >> >> > parts here than meet the eye, but we can definitely continue the >>>> >> >> discussion >>>> >> >> > and see where it can lead. >>>> >> >> > >>>> >> >> > *Will STEVENS* >>>> >> >> > Lead Developer >>>> >> >> > >>>> >> >> > *CloudOps* *| *Cloud Solutions Experts >>>> >> >> > 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6 >>>> >> >> > w cloudops.com *|* tw @CloudOps_ >>>> >> >> > >>>> >> >> > On Wed, Apr 6, 2016 at 5:00 AM, Wido den Hollander < >>>> [email protected]> >>>> >> >> wrote: >>>> >> >> > >>>> >> >> > > >>>> >> >> > > > Op 6 april 2016 om 10:50 schreef Daan Hoogland < >>>> >> >> > [email protected] >>>> >> >> > > >: >>>> >> >> > > > >>>> >> >> > > > >>>> >> >> > > > Good reading for the Wednesday morning;) yes I think we >>>> need to >>>> >> go >>>> >> >> > there >>>> >> >> > > > and maybe even ask it of our contributors. >>>> >> >> > > > >>>> >> >> > > >>>> >> >> > > It might please the ASF since we can now prove who made the >>>> commit. >>>> >> >> If we >>>> >> >> > > ask >>>> >> >> > > all committers to upload their public key and sign their >>>> commits we >>>> >> >> can >>>> >> >> > > check >>>> >> >> > > this. >>>> >> >> > > >>>> >> >> > > For Pull Requests we can probably also add a hook/check which >>>> >> verifies >>>> >> >> > if a >>>> >> >> > > signature is present. >>>> >> >> > > >>>> >> >> > > Wido >>>> >> >> > > >>>> >> >> > > > On Wed, Apr 6, 2016 at 9:28 AM, Wido den Hollander < >>>> >> [email protected]> >>>> >> >> > > wrote: >>>> >> >> > > > >>>> >> >> > > > > Hi, >>>> >> >> > > > > >>>> >> >> > > > > Github just added [0] support for verifying GPG >>>> signatures of >>>> >> Git >>>> >> >> > > commits >>>> >> >> > > > > to the >>>> >> >> > > > > web interface. >>>> >> >> > > > > >>>> >> >> > > > > Under the settings page [1] you can now add your public >>>> GPG >>>> >> key so >>>> >> >> > > Github >>>> >> >> > > > > can >>>> >> >> > > > > verify it. >>>> >> >> > > > > >>>> >> >> > > > > It's rather simple: >>>> >> >> > > > > >>>> >> >> > > > > $ gpg --armor --export [email protected] >>>> >> >> > > > > >>>> >> >> > > > > That gave me my public key which I could export. >>>> >> >> > > > > >>>> >> >> > > > > Git already supports signing [2] commits with your key. >>>> >> >> > > > > >>>> >> >> > > > > This makes me wonder, is this something we want to >>>> enforce? To >>>> >> me >>>> >> >> it >>>> >> >> > > seems >>>> >> >> > > > > like >>>> >> >> > > > > a good thing to have. >>>> >> >> > > > > >>>> >> >> > > > > Wido >>>> >> >> > > > > >>>> >> >> > > > > [0]: >>>> https://github.com/blog/2144-gpg-signature-verification >>>> >> >> > > > > [1]: https://github.com/settings/keys >>>> >> >> > > > > [2]: >>>> >> https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work >>>> >> >> > > > > >>>> >> >> > > > >>>> >> >> > > > >>>> >> >> > > > >>>> >> >> > > > -- >>>> >> >> > > > Daan >>>> >> >> > > >>>> >> >> > >>>> >> >> >>>> >> >> >>>> >> >> >>>> >> >> -- >>>> >> >> Rafael Weingärtner >>>> >> >> >>>> >> > >>>> >> > >>>> >> >>>> >> >>>> >> -- >>>> >> Daan >>>> >> >>>> > >>>> > >>>> > >>>> > -- >>>> > Rafael Weingärtner >>>> > >>>> >>> >>> >>> >>> -- >>> Daan >>> >> >> >> >> -- >> Rafael Weingärtner >> > > > > -- > Daan > -- Rafael Weingärtner
