Re: [PHP-DEV] Changes to Git commit workflow

On 01-04-2021 06:54, Bishop Bettini wrote: I've documented why we need signing, and how to set it up: https://wiki.php.net/vcs/commit-signing Feedback welcomed! In "Step 5 of 7: Configure git to use that key ID" you set `git config --global --replace user.signingkey "${GPG_KEYID}"` I found

Re: [PHP-DEV] Changes to Git commit workflow

On Thu, Apr 1, 2021 at 3:21 PM Bishop Bettini wrote: > On Thu, Apr 1, 2021 at 9:22 AM Rowan Tommins > wrote: > > > On 01/04/2021 05:54, Bishop Bettini wrote: > > > I've documented why we need signing, and how to set it up: > > > > > > https://wiki.php.net/vcs/commit-signing > > > > > > Feedback

Re: [PHP-DEV] Changes to Git commit workflow

his issue is probably fixed by https://github.com/php/web-master/commit/d0cac5411f97ec9df5995a632c20da770a77dedb . Nikita -Original Message- > From: Nikita Popov > Sent: Monday, March 29, 2021 6:52 AM > To: PHP internals ; PHP Doc Mailing List < > php...@lists.php.net&g

RE: [PHP-DEV] Changes to Git commit workflow

internals ; PHP Doc Mailing List Subject: [PHP-DEV] Changes to Git commit workflow Hi everyone, Yesterday (2021-03-28) two malicious commits were pushed to the php-src repo [1] from the names of Rasmus Lerdorf and myself. We don't yet know how exactly this happened, but everything points towa

Re: [PHP-DEV] Changes to Git commit workflow

On Thu, Apr 1, 2021 at 12:24 PM Sara Golemon wrote: > On Thu, Apr 1, 2021 at 11:19 AM Rowan Tommins > wrote: > > > On 01/04/2021 15:59, Sara Golemon wrote: > > > On Thu, Apr 1, 2021 at 9:21 AM Bishop Bettini > > > wrote: > > > > > > I also added a FAQ. > > > > > > > >

Re: [PHP-DEV] Changes to Git commit workflow

On Thu, Apr 1, 2021 at 11:19 AM Rowan Tommins wrote: > On 01/04/2021 15:59, Sara Golemon wrote: > > On Thu, Apr 1, 2021 at 9:21 AM Bishop Bettini > > wrote: > > > > I also added a FAQ. > > > > > > I disagree with the position this document takes on immortal keys. We >

Re: [PHP-DEV] Changes to Git commit workflow

On 01/04/2021 15:59, Sara Golemon wrote: On Thu, Apr 1, 2021 at 9:21 AM Bishop Bettini > wrote: I also added a FAQ. I disagree with the position this document takes on immortal keys.  We should encourage best-practices with the knowledge that some people will weake

Re: [PHP-DEV] Changes to Git commit workflow

On Thu, Apr 1, 2021 at 11:32 AM Christoph M. Becker wrote: > On 01.04.2021 at 17:09, Kalle Sommer Nielsen wrote: > > > Den tor. 1. apr. 2021 kl. 07.55 skrev Bishop Bettini : > > > >> I've documented why we need signing, and how to set it up: > >> > >> https://wiki.php.net/vcs/commit-signing > >>

Re: [PHP-DEV] Changes to Git commit workflow

On 01.04.2021 at 17:09, Kalle Sommer Nielsen wrote: > Den tor. 1. apr. 2021 kl. 07.55 skrev Bishop Bettini : > >> I've documented why we need signing, and how to set it up: >> >> https://wiki.php.net/vcs/commit-signing >> >> Feedback welcomed! > > Great guide, Yes, thanks for that, Bishop! > any

Re: [PHP-DEV] Changes to Git commit workflow

Hi Bishop Den tor. 1. apr. 2021 kl. 07.55 skrev Bishop Bettini : > I've documented why we need signing, and how to set it up: > > https://wiki.php.net/vcs/commit-signing > > Feedback welcomed! Great guide, any chance to add some Windows information here? -- regards, Kalle Sommer Nielsen ka...@

Re: [PHP-DEV] Changes to Git commit workflow

On Thu, Apr 1, 2021 at 9:21 AM Bishop Bettini wrote: > I also added a FAQ. > > I disagree with the position this document takes on immortal keys. We should encourage best-practices with the knowledge that some people will weaken their security with an immortal key, not start from a weak position

Re: [PHP-DEV] Changes to Git commit workflow

On Thu, Apr 1, 2021 at 9:22 AM Rowan Tommins wrote: > On 01/04/2021 05:54, Bishop Bettini wrote: > > I've documented why we need signing, and how to set it up: > > > > https://wiki.php.net/vcs/commit-signing > > > > Feedback welcomed! > > > This looks great, and very easy to follow. > > One edit

Re: [PHP-DEV] Changes to Git commit workflow

On 01/04/2021 05:54, Bishop Bettini wrote: I've documented why we need signing, and how to set it up: https://wiki.php.net/vcs/commit-signing Feedback welcomed! This looks great, and very easy to follow. One edit I would strongly suggest though: Remove the "Passphrase:" line from the --gen

Re: [PHP-DEV] Changes to Git commit workflow

Hi Bishop, On 01.04.21 06:54, Bishop Bettini wrote: I've documented why we need signing, and how to set it up: https://wiki.php.net/vcs/commit-signing Feedback welcomed! I'm not even the target audience in terms of php-src access, but rarely have I seen such a good tutorial approach on this

Re: [PHP-DEV] Changes to Git commit workflow

On Sun, Mar 28, 2021 at 8:16 PM Sara Golemon wrote: > On Sun, Mar 28, 2021 at 6:57 PM Paul Crovella > wrote: > > > You might consider requiring commits be signed while you're at it. > > > > > I suggested this as well, and even if we don't require it, we should > STRONGLY encourage it. > > I've b

Re: [PHP-DEV] Changes to Git commit workflow

On Tue, Mar 30, 2021 at 10:13 AM Christoph M. Becker wrote: > > https://github.com/php/php-src/blob/master/NEWS which is a guaranteed > merge > > conflict between branches. > > Nope, see . :) > > GAME. CHANGED. This message constitutes your EFT

Re: [PHP-DEV] Changes to Git commit workflow

On 30.03.2021 at 15:50, Sara Golemon wrote: > On Tue, Mar 30, 2021 at 8:34 AM Mike Schinkel wrote: > >> When you speak of NEWS, do you mean this? >> https://github.com/php/web-news >> > Negative. NEWS in all caps invariably refers to > https://github.com/php/php-

Re: [PHP-DEV] Changes to Git commit workflow

On Tue, Mar 30, 2021 at 9:08 AM Mike Schinkel wrote: > On Mar 30, 2021, at 9:50 AM, Sara Golemon wrote: > > On Tue, Mar 30, 2021 at 8:34 AM Mike Schinkel wrote: > > When you speak of NEWS, do you mean this? > > https://github.com/php/web-news > > > Negative. NE

Re: [PHP-DEV] Changes to Git commit workflow

> On Mar 30, 2021, at 9:50 AM, Sara Golemon wrote: > > On Tue, Mar 30, 2021 at 8:34 AM Mike Schinkel > wrote: > > When you speak of NEWS, do you mean this? > > https://github.com/php/web-news > >

Re: [PHP-DEV] Changes to Git commit workflow

On Tue, 30 Mar 2021 at 14:34, Mike Schinkel wrote: > > > > On Mar 30, 2021, at 8:29 AM, Jakub Zelenka wrote: > > > > > > > > On Tue, Mar 30, 2021 at 1:21 PM Jakub Zelenka bu...@php.net>> wrote: > > > > > > On Tue, Mar 30, 2021 at 12:47 PM Mike Schinkel > wrote: > >

Re: [PHP-DEV] Changes to Git commit workflow

On Tue, Mar 30, 2021 at 8:34 AM Mike Schinkel wrote: > When you speak of NEWS, do you mean this? > https://github.com/php/web-news > Negative. NEWS in all caps invariably refers to https://github.com/php/php-src/blob/master/NEWS which is a guaranteed merge conflic

Re: [PHP-DEV] Changes to Git commit workflow

> On Mar 30, 2021, at 8:29 AM, Jakub Zelenka wrote: > > > > On Tue, Mar 30, 2021 at 1:21 PM Jakub Zelenka > wrote: > > > On Tue, Mar 30, 2021 at 12:47 PM Mike Schinkel > wrote: > > > > On Mar 30, 2021, at 5:51 AM, Derick Rethans >

Re: [PHP-DEV] Changes to Git commit workflow

On Tue, Mar 30, 2021 at 1:21 PM Jakub Zelenka wrote: > > > On Tue, Mar 30, 2021 at 12:47 PM Mike Schinkel > wrote: > >> >> >> > On Mar 30, 2021, at 5:51 AM, Derick Rethans wrote: >> > >> > On 30 March 2021 10:43:41 BST, Max Semenik >> wrote: >> >> On Tue, Mar 30, 2021 at 3:29 AM Stanislav Maly

Re: [PHP-DEV] Changes to Git commit workflow

On Tue, Mar 30, 2021 at 12:47 PM Mike Schinkel wrote: > > > > On Mar 30, 2021, at 5:51 AM, Derick Rethans wrote: > > > > On 30 March 2021 10:43:41 BST, Max Semenik > wrote: > >> On Tue, Mar 30, 2021 at 3:29 AM Stanislav Malyshev > >> > >> wrote: > >> > >>> Hi! > >>> > >>> On 3/29/21 4:49 AM, M

Re: [PHP-DEV] Changes to Git commit workflow

> On Mar 30, 2021, at 5:51 AM, Derick Rethans wrote: > > On 30 March 2021 10:43:41 BST, Max Semenik wrote: >> On Tue, Mar 30, 2021 at 3:29 AM Stanislav Malyshev >> >> wrote: >> >>> Hi! >>> >>> On 3/29/21 4:49 AM, Max Semenik wrote: Would it also make sense if direct pushes (bypassing t

Re: [PHP-DEV] Changes to Git commit workflow

On 30 March 2021 10:43:41 BST, Max Semenik wrote: >On Tue, Mar 30, 2021 at 3:29 AM Stanislav Malyshev > >wrote: > >> Hi! >> >> On 3/29/21 4:49 AM, Max Semenik wrote: >> > Would it also make sense if direct pushes (bypassing the pull >requests >> > system) were disallowed completely? I can see mult

Re: [PHP-DEV] Changes to Git commit workflow

On Tue, Mar 30, 2021 at 3:29 AM Stanislav Malyshev wrote: > Hi! > > On 3/29/21 4:49 AM, Max Semenik wrote: > > Would it also make sense if direct pushes (bypassing the pull requests > > system) were disallowed completely? I can see multiple problems with > direct > > pushes: > > This is possible.

Re: [PHP-DEV] Changes to Git commit workflow

Hi! On 3/29/21 4:49 AM, Max Semenik wrote: On Mon, Mar 29, 2021 at 1:53 AM Nikita Popov wrote: changes should be pushed directly to GitHub rather than to git.php.net. Would it also make sense if direct pushes (bypassing the pull requests system) were disallowed completely? I can see multip

Re: [PHP-DEV] Changes to Git commit workflow

On Mon, 29 Mar 2021 at 12:50, Max Semenik wrote: > On Mon, Mar 29, 2021 at 1:53 AM Nikita Popov wrote: > > > changes should be pushed directly to GitHub rather than to git.php.net. > > > Would it also make sense if direct pushes (bypassing the pull requests > system) were disallowed completely?

Re: [PHP-DEV] Changes to Git commit workflow

On Mon, Mar 29, 2021 at 1:53 AM Nikita Popov wrote: > changes should be pushed directly to GitHub rather than to git.php.net. Would it also make sense if direct pushes (bypassing the pull requests system) were disallowed completely? I can see multiple problems with direct pushes: 1) Someone tr

Re: [PHP-DEV] Changes to Git commit workflow

On Mon, 29 Mar 2021, 08:51 Paul Dragoonis, wrote: > > > On Mon, 29 Mar 2021, 02:30 Rasmus Lerdorf, wrote: > >> On Sun, Mar 28, 2021 at 17:15 Sara Golemon wrote: >> >> > On Sun, Mar 28, 2021 at 6:57 PM Paul Crovella >> > wrote: >> > >> >> You might consider requiring commits be signed while you

Re: [PHP-DEV] Changes to Git commit workflow

On Mon, 29 Mar 2021, 02:30 Rasmus Lerdorf, wrote: > On Sun, Mar 28, 2021 at 17:15 Sara Golemon wrote: > > > On Sun, Mar 28, 2021 at 6:57 PM Paul Crovella > > wrote: > > > >> You might consider requiring commits be signed while you're at it. > >> > >> > > I suggested this as well, and even if we

Re: [PHP-DEV] Changes to Git commit workflow

I think you only need to handle merges locally if the pull request author didn't sign their commits: > You can always push local commits to the branch if the commits are signed and verified. > You can also merge signed and verified commits into the branch using a pull request on GitHub. > However,

Re: [PHP-DEV] Changes to Git commit workflow

I think this is a great step forward. With commit signatures required, I think the person who merges a PR now needs to do so locally. [GitHub CLI](https://cli.github.com/) helps me a lot to locally checkout a PR quickly, and then rebase/squash with my own signature. Thanks to Levi Morrison and Nik

Re: [PHP-DEV] Changes to Git commit workflow

On Mon, 29 Mar 2021, 03:30 Rasmus Lerdorf, wrote: > On Sun, Mar 28, 2021 at 17:15 Sara Golemon wrote: > > > On Sun, Mar 28, 2021 at 6:57 PM Paul Crovella > > wrote: > > > >> You might consider requiring commits be signed while you're at it. > >> > >> > > I suggested this as well, and even if we

Re: [PHP-DEV] Changes to Git commit workflow

On Sun, Mar 28, 2021 at 17:15 Sara Golemon wrote: > On Sun, Mar 28, 2021 at 6:57 PM Paul Crovella > wrote: > >> You might consider requiring commits be signed while you're at it. >> >> > I suggested this as well, and even if we don't require it, we should > STRONGLY encourage it. > > I've been s

Re: [PHP-DEV] Changes to Git commit workflow

On Sun, Mar 28, 2021 at 6:57 PM Paul Crovella wrote: > You might consider requiring commits be signed while you're at it. > > I suggested this as well, and even if we don't require it, we should STRONGLY encourage it. I've been signing my commits for several years now, it's not even that hard.

Re: [PHP-DEV] Changes to Git commit workflow

You might consider requiring commits be signed while you're at it. On Sun, Mar 28, 2021 at 3:53 PM Nikita Popov wrote: > > Hi everyone, > > Yesterday (2021-03-28) two malicious commits were pushed to the php-src > repo [1] from the names of Rasmus Lerdorf and myself. We don't yet know how > exact

[PHP-DEV] Changes to Git commit workflow

Hi everyone, Yesterday (2021-03-28) two malicious commits were pushed to the php-src repo [1] from the names of Rasmus Lerdorf and myself. We don't yet know how exactly this happened, but everything points towards a compromise of the git.php.net server (rather than a compromise of an individual gi