public inbox for gentoo-portage-dev@lists.gentoo.org
 help / color / mirror / Atom feed
* [gentoo-portage-dev] Enforced OpenPGP signatures
@ 2016-06-14  8:41 Alexander Berntsen
  2016-06-14 18:48 ` Robin H. Johnson
  2016-06-15 14:44 ` Brian Dolbec
  0 siblings, 2 replies; 4+ messages in thread
From: Alexander Berntsen @ 2016-06-14  8:41 UTC (permalink / raw
  To: gentoo-portage-dev

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Friends,

I saw Brian asking Michał to OpenPGP-sign his commits in IRC, to which
Michał quipped that we would have if it were enforced. So perhaps we
should just enforce it. Most of us do it -- but I see Zac not doing it
sometimes, seemingly at random. In any event, I don't think there's a
good reason *not* to sign things.

What do you think? And what's the procedure/who do we talk to, to get
a pre-push hook set up to enforce it?
- -- 
Alexander
bernalex@gentoo.org
https://secure.plaimi.net/~alexander
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCgAGBQJXX8NBAAoJENQqWdRUGk8BVesP/2wZluWZJtRZQrOqo13T+6bg
dCd78xP9wmoqF9BNKBKrT1YjuI87qzJ2npWWmhAo4JqkVWz1pSJ1y0JdkzIESQX1
zyH/sKxBDFWi5Sk51XZK+TK+OD3gvxNjV+Czi6obW7RtQZ+WoZ3JnZ4EJzyeua03
96we+wUp+Gj2auyl1qZRLr8lTWNiQD0g7YG5xsrcnzGr3nsI966ILXYq6KE7UU8+
JyPRe3JWrZlsRYo5PHj0B9CA6a0OT3qO8z1P6n0Jjq9MdLiCKOGGIYOc+6j5FOoi
27LF6CXrQyQlOvgPm6+huHoGEpRIudOUS14l2MHJiwsmXH8uC1XfYDQl+rY7RTA7
GnAVqxE8gT2SpHjXCZfYPkS2ZfkYd9XA+663IpAUOb/ea1B0m6v00Lpen7v62Cxq
bySKn46Dugsalh1cWnMCmoVx1yRWtFQwDrzaAa44HuKMRU1J74j/GgwEi0fJxRIR
B+2MJr5Gg9WduWgCbEJ+xNB7dh5atjWuDsUsXM1Vh1zFsYPXqyEV8otvDsIAVH2o
ZvEXLACB9SK4HYrrvO7Y0RtjY0sQhHs3po3IiVVT5ISC84Gxk5+QWWRGUyakeTN3
nNrYoppITTqBrJ945bs4UWAMf3KAjOxxwQHCK2QRQwIJHTCOMmleVn7zRUKxPk8Z
jnW9EKxM9ePcWGjqV7cD
=2wKp
-----END PGP SIGNATURE-----


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [gentoo-portage-dev] Enforced OpenPGP signatures
  2016-06-14  8:41 [gentoo-portage-dev] Enforced OpenPGP signatures Alexander Berntsen
@ 2016-06-14 18:48 ` Robin H. Johnson
  2016-06-15  7:11   ` Alexander Berntsen
  2016-06-15 14:44 ` Brian Dolbec
  1 sibling, 1 reply; 4+ messages in thread
From: Robin H. Johnson @ 2016-06-14 18:48 UTC (permalink / raw
  To: gentoo-portage-dev

On Tue, Jun 14, 2016 at 10:41:38AM +0200, Alexander Berntsen wrote:
> Friends,
> 
> I saw Brian asking Michał to OpenPGP-sign his commits in IRC, to which
> Michał quipped that we would have if it were enforced. So perhaps we
> should just enforce it. Most of us do it -- but I see Zac not doing it
> sometimes, seemingly at random. In any event, I don't think there's a
> good reason *not* to sign things.
> 
> What do you think? And what's the procedure/who do we talk to, to get
> a pre-push hook set up to enforce it?
A pre-push hook would only do it locally for you, it wouldn't enforce it
on the server side.

Please file a bug to have infra turn it on for the repos you want
(specify them in the bug). 

Here's the actual hook that's used:
https://github.com/gentoo/git-gx86-tools/blob/master/hooks/dev-git/update-02-gpg
Note that it only verifies on the master branch, and for merges, only
the merge-commit onto master is verified.

-- 
Robin Hugh Johnson
Gentoo Linux: Dev, Infra Lead, Foundation Trustee & Treasurer
E-Mail   : robbat2@gentoo.org
GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85
GnuPG FP : 7D0B3CEB E9B85B1F 825BCECF EE05E6F6 A48F6136


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [gentoo-portage-dev] Enforced OpenPGP signatures
  2016-06-14 18:48 ` Robin H. Johnson
@ 2016-06-15  7:11   ` Alexander Berntsen
  0 siblings, 0 replies; 4+ messages in thread
From: Alexander Berntsen @ 2016-06-15  7:11 UTC (permalink / raw
  To: gentoo-portage-dev

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 14/06/16 20:48, Robin H. Johnson wrote:
> Please file a bug to have infra turn it on for the repos you want 
> (specify them in the bug).
Thank you, Robin. Will do once I have some sort of ACK, or at least a
long enough period without NACKs.

- -- 
Alexander
bernalex@gentoo.org
https://secure.plaimi.net/~alexander
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCgAGBQJXYP+cAAoJENQqWdRUGk8Bw3IQAMivFLj5p8ZJmMfhlgmclQGZ
0HDgW13oUyWgo6RPZHC6VHp6ZX4z4wAuTk9O2wXqYRGDEaghWW7xNVhw0NGb4C5H
NnZ4T7DTZQNFCGSboC2pcKsygTroCGlyzHvWn+iikV21Nw+OIB6l0ELs30TCoG8Z
57eSdNrCFIprW6H1FCy0i4QzNF7j9AG+4x4JqUncjp37/8gQRI61XY50mCJxngDn
wusbWmLGQfKOFwebIqf3rcyGL8YlKaHBwnDkHCi74qe47adUKK6tRVk8Aoehw1wz
VrBJ53whSFPrwn5sryrhyOh1wsUaF74rxwiphFY9ij18O9urfZu48hfuSsgJoAVZ
l8uURj6pvCHpoiKjQLtmLpbHhrmBzxzMz82ZCYjiGx7AN638WgNuC387zjAm5+7r
NiBuKW2jJ1yc4OavNa5dUToRR6AmzDfy9jQaNCkQ8xEAslPr4RKWOwtBRs7Nm4KD
dzSW1ptTVJ2DaEGYIILWa/WWb1D3XRyUMJ5p/Sg+vtCfQ3Tjt//sLehvrj7xaXlR
YQELuaI/ta1dnM/vCmSF6jq7+f6Ko1EpA8XGsSNvuPHXfUjzLrcZqeKg3yEJk08c
Fee/Q+oTnfEIIZ+y4nLm9ByF8/oaToR3YAeU6AKQDB3iN/NNk33cmixu8Zn8aU3I
DBkgad8mcK7m97r8p0NB
=5mOi
-----END PGP SIGNATURE-----


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [gentoo-portage-dev] Enforced OpenPGP signatures
  2016-06-14  8:41 [gentoo-portage-dev] Enforced OpenPGP signatures Alexander Berntsen
  2016-06-14 18:48 ` Robin H. Johnson
@ 2016-06-15 14:44 ` Brian Dolbec
  1 sibling, 0 replies; 4+ messages in thread
From: Brian Dolbec @ 2016-06-15 14:44 UTC (permalink / raw
  To: gentoo-portage-dev

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On Tue, 14 Jun 2016 10:41:38 +0200
Alexander Berntsen <bernalex@gentoo.org> wrote:

> Friends,
> 
> I saw Brian asking Michał to OpenPGP-sign his commits in IRC, to which
> Michał quipped that we would have if it were enforced. So perhaps we
> should just enforce it. Most of us do it -- but I see Zac not doing it
> sometimes, seemingly at random. In any event, I don't think there's a
> good reason *not* to sign things.
> 
> What do you think? And what's the procedure/who do we talk to, to get
> a pre-push hook set up to enforce it?
> - -- 
> Alexander
> bernalex@gentoo.org
> https://secure.plaimi.net/~alexander

I think it is a good idea to enforce signed commits.

We could even enforce signed pushes like we do the tree.

I think it is important that the primary package manager for Gentoo
have the same rules for committing as the tree does.

signed commits, signed pushes

- -- 
Brian Dolbec <dolsen>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1

iQJ8BAEBCgBmBQJXYWniXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRBNUQ3Qzc0RTA4MUNDNzBEQjRBNEFBRjVG
QkJEMDg3Mjc1ODIwRUQ4AAoJEPu9CHJ1gg7YAX0P/30gmLrU3AT9Q9EfnCp8eVTT
a5T7FbtUF72YZTkklXQMRQMI3Ye+JEYlXSvYyzuXem80xk5nbVWWjemmAdqfkS31
F0i7hLegTVNSCQV1OAtX8h4JqK+niXZBCktdr0hdOYaNWDsKHQVRfVvN/5c2Py8U
mAvKbglBfKNAbC8vnv7cu1UkIgjiBNV8b8ka1OEK1/fgW7tw8Fb+0BE2t2Lw6P3z
0cAeo/jxhi0+tywh/U+vqyeeVN6ryV1ILURk0DoRnzulN7nkdgZ99Gf8LzVd4vmP
BQEo8UoTHSYd6QpR+8hdZjpHOFA2x0vEgJXUjpYqOXogcXsKV5JA7XfQb3hXKjZ3
MIdvrzuZn+HccJbSMYVdITDlSdlda+ogASYxqse4u9NCJKSOCLADb8RI36M/pnoR
IgWF5a4Lox9vQaLjPz7cdyE5QdWxVDG+c3FiutCNnu8GZWoPoIiHbIgaRxP+RCIL
1lNugcIzdOgcvsyTdqb7d+YEiZ1X2RPzNynDfdscQv3IfjsnrfppPRu4I4q13GYw
x8Wd3CyzPcn1RNgeJ2+V18co8N3zOcFFpZ7B7eNEcWA+NJdQNb28Xehp1p2kM8yt
pV013QZK7/FzBe6YvUkGWyG+g9oMYkQV48FrMn96m9W3OdpSixDr3yN16N78cZ3U
0ttul2AwqwlIrtApR920
=+jZT
-----END PGP SIGNATURE-----

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2016-06-15 14:45 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-06-14  8:41 [gentoo-portage-dev] Enforced OpenPGP signatures Alexander Berntsen
2016-06-14 18:48 ` Robin H. Johnson
2016-06-15  7:11   ` Alexander Berntsen
2016-06-15 14:44 ` Brian Dolbec

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox