From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1SbXtz-0006Wi-DV for garchives@archives.gentoo.org; Mon, 04 Jun 2012 14:04:59 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id EC9C2E060D; Mon, 4 Jun 2012 14:04:35 +0000 (UTC) Received: from mx1.mthode.org (rrcs-24-173-105-85.sw.biz.rr.com [24.173.105.85]) by pigeon.gentoo.org (Postfix) with ESMTP id 94EE0E0732 for ; Mon, 4 Jun 2012 14:03:10 +0000 (UTC) Received: from khorne.mthode.org (unknown [IPv6:2001:470:e1cc:3:4021:8aff:fe66:615a]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.mthode.org (Postfix) with ESMTPSA id DADA910A6F for ; Mon, 4 Jun 2012 10:03:08 -0400 (EDT) Message-ID: <4FCCC016.5090306@gentoo.org> Date: Mon, 04 Jun 2012 09:03:02 -0500 From: Matthew Thode User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:12.0) Gecko/20120529 Thunderbird/12.0.1 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 To: gentoo-dev@lists.gentoo.org Subject: Re: [gentoo-dev] Git braindump: 1 of N: merging & git signing References: <201206031239.21744.dilfridge@gentoo.org> <201206032135.49757.dilfridge@gentoo.org> In-Reply-To: X-Enigmail-Version: 1.5pre Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig9800424691482AFD721FA29F" X-Archives-Salt: 3d8481cc-aa0d-4634-b06a-6bb62aedab71 X-Archives-Hash: 10db2b4c3271168c39b9f991cd3cd892 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig9800424691482AFD721FA29F Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 06/04/2012 07:34 AM, Rich Freeman wrote: > On Mon, Jun 4, 2012 at 2:50 AM, Dirkjan Ochtman wrote:= >> On Sun, Jun 3, 2012 at 9:35 PM, Andreas K. Huettel wrote: >>> However, then the "committer" of the contributed commits before the m= erge is >>> then the user, I guess? >>> >>> (The rule meaning as suggested by Robin >>>> - if you include a commit from a user: >>>> author :=3D non-@gentoo >>>> committer :=3D @gentoo >>>> signer :=3D $committer >> >> I guess, I'm not sure how the committer thing works in git. >> >=20 > Well, only Robin can explain exactly what he meant, but it sounds like > we don't want the committer field to ever have a non-gentoo email in > it, and signatures should be gentoo as well. So, if a dev just > applies a patch to their tree/etc then there is no issue (just set > author). If a dev wants to actually pull in a commit they'd need to > edit the fields accordingly and re-sign it. Not sure offhand how to > best do that (I assume it is possible - probably with some variation > on rebase or something rebase calls). >=20 > I don't think the intent is to snub non-devs. The issue is what is > the purpose of the signatures and committers field in the first place. > The signature verifies that the commit is intact, and you can only do > that if you have a key to check it with, and you can trust that key. > If the signer is a dev then we already have policy that the keys need > to be published, and we have a list of key IDs on our website. I'm > sure that could be improved on. If we stick non-dev signatures in the > tree then that becomes more of a problem (though it clearly is > possible - maybe something to think about). I assume the committer > denotes a layer of accountability, and having a dev in that spot makes > sense (devs who are proxies are accountable for oversight at some > level - though I'd personally give them the benefit of the doubt since > we want to encourage the proxy role). >=20 > I think the key with git is to not let the perfect be the enemy of the > good. We don't have an unbroken signature chain on our current > portage tree, so I don't think we need one to move to git. As long as > git is at least as good as what we have now, then we should accept it. > We should of course strive to improve, but let's not keep the almost > completely unsigned cvs around for another 10 years while we argue > about signatures. >=20 > Rich >=20 I think the intent is to only have commits and signoffs come from @gentoo, but we need a way to give attribution to users who send stuff in that gets committed. --=20 -- Matthew Thode (prometheanfire) --------------enig9800424691482AFD721FA29F Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPzMAjAAoJECRx6z5ArFrDDeUP+wXccncxLQbngWYOUy1mCr5o mreNs3u6jLdXK9KJ5A6CBACPLVkfoa8VyF7wPGnJo5sf5ePwhlA1SoWt+8khDRaw ZJMd9RYlNlUo+F4Q84aVqdE4w5zbGx8ya79zH3W31u0khcDLfF8ZX/Esua5n3oIf KDVQoZSx15Is/NVrFyxIKwGoU2fdv+qZ0L4nNpQ+D4FL2Px13mFeYUbxPxK1soyE OQxN6GiXyRTriDjM7mrfj/hyJt+V+zkM1hXqGqI6KGR3Wl3h2TISTIgMW+KTio6M OVwXRiXrjLcIYnu/TIDv/1gcC5tHlT1hMZmUk9IStsMf9VpChtR555fxX6Lu3fkT SyCqiYo7LgJBgEig7+dqExQd4P5twpf2EeuYKAfkrHp7UhCrD4tK2G2nshZt4IAu wpZxqhbMDc6/x9uoAtm+7nn5Zok1+0ZgerAfHBFkYjCaQg/zJhtM6tWbLq5joP7G t3307XzDxt4iLulQvdQHe0rTFSlTj8c3L+sr7via7SmVmlhBDV5KZN8twH8sfNy0 DAHjuQ9AYYAordGMNH0/FBWbB2jpkZasnn6Whj4Tk86egBDQ+sIUaXYR52cjqPA7 5nd+emVIe8pAumWReQfLrxbhr6WzkMq/3OdzE6aF6eP/PVC/cdXvcEJPrGBGGdA+ Betv8aasSxvQUPcDGDFt =DUHX -----END PGP SIGNATURE----- --------------enig9800424691482AFD721FA29F--