From: "Pedro Falcato" <pedro.falcato@gmail.com>
To: "Marvin Häuser" <mhaeuser@posteo.de>
Cc: edk2-devel-groups-io <devel@edk2.groups.io>
Subject: Re: [edk2-devel] Question about EDK2 and commit signing
Date: Mon, 13 Sep 2021 17:50:31 +0100 [thread overview]
Message-ID: <CAKbZUD1dE9iW2g8-AG6w7MGE7YJoeEEYpOuca31vasnCvqGMhA@mail.gmail.com> (raw)
In-Reply-To: <7752ca61-c66a-2667-7c3d-ab2eb10105b7@posteo.de>
Hi James, Marvin,
Interesting points of view.
I still have a question though: If any part of the process got
compromised (maintainer, or in the worst case scenario, the repo
itself), is there anything that could be done
in order to assess the damage? I'd say signing could help establish
trust in a lot of those cases
Thanks,
Pedro
On Sun, Sep 12, 2021 at 10:53 AM Marvin Häuser <mhaeuser@posteo.de> wrote:
>
> Hey,
>
> Just my 2 cents...
>
> Contributors: Git's stance is the author doesn't really matter as long
> as the code is acceptable. For most people, you will not know them
> anyway and it does not buy you much to know they own GitHub account XY.
> If someone is impersonating a maintainer (who would push the changes
> directly after review), that would be obvious anyway.
>
> Maintainers: Why would someone have access to your SSH key but not your
> GPG key? Especially if your commits are auto-signed, both keys are
> likely equally readable. More factors do not meaningfully increase
> security if they are not clearly separate.
>
> I'm sure nobody minds your signatures though. :)
>
> Best regards,
> Marvin
>
> On 11/09/2021 20:25, Pedro Falcato wrote:
> > Hi everyone,
> >
> > Yesterday, when pushing my first commits to edk2-platforms (as the
> > Ext4Pkg maintainer), I noticed that my commits (see 7872c98 and
> > 71f3343) stick out like a sore thumb, as I have GPG signing on my
> > commits on by default (see git config commit.gpgsign), globally across
> > all my projects.
> >
> > Is there an official stance on signed commits? I was thinking that
> > commit signing, at least for the maintainers that apply and push
> > patches, could be useful as a way to establish authenticity for every
> > commit that gets to the edk2 repos.
> >
> > Best regards,
> >
> > Pedro Falcato
> >
> >
> >
> >
> >
>
--
Pedro Falcato
next prev parent reply other threads:[~2021-09-13 16:50 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-11 18:25 Question about EDK2 and commit signing Pedro Falcato
2021-09-11 21:48 ` [edk2-devel] " James Bottomley
2021-09-12 9:53 ` Marvin Häuser
2021-09-13 16:50 ` Pedro Falcato [this message]
2021-09-13 19:31 ` Marvin Häuser
2021-09-14 18:02 ` James Bottomley
2021-09-14 20:18 ` Marvin Häuser
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAKbZUD1dE9iW2g8-AG6w7MGE7YJoeEEYpOuca31vasnCvqGMhA@mail.gmail.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox