From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail-vs1-f48.google.com (mail-vs1-f48.google.com [209.85.217.48])
 by mx.groups.io with SMTP id smtpd.web09.32545.1631551842746490432
 for <devel@edk2.groups.io>;
 Mon, 13 Sep 2021 09:50:42 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20210112 header.b=i4US7WwF;
 spf=pass (domain: gmail.com, ip: 209.85.217.48, mailfrom: pedro.falcato@gmail.com)
Received: by mail-vs1-f48.google.com with SMTP id d6so9065172vsr.7
        for <devel@edk2.groups.io>; Mon, 13 Sep 2021 09:50:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc:content-transfer-encoding;
        bh=qd95AlFgvV/JrvK5LVTl1jM4USrCHwiEQB35tGdo8Zg=;
        b=i4US7WwFGKjfnohSwPk59u00/w0M6CcWAQ0WfFdt+EF7G0I63vDth+YC5qMISbmJr0
         0+sTGFIEbSmwiBWJNSljvQUam2QYnpUdex5GjE89xo44rszgNsDjx0Le+USJE7zspQ1m
         7DlmTBKWo+62VekaEwUar5svzOaDOwjpfbaXaGO3hJb8/SYtcbPe1lTwjVbgFhKpXpfn
         Ai0Hz2sckcPXsdGZF6tOd10ZQJ1XD455aIHcQI1cDMgnwYzQMS88OwWuN3aNdgAXc48h
         viKWzFQm9UZVGD0vRKjqdldNn6bn6PKmr6FyAL8ugPvMbudU5wIbhQUaS+ZTPXKEYiW3
         3/bQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc:content-transfer-encoding;
        bh=qd95AlFgvV/JrvK5LVTl1jM4USrCHwiEQB35tGdo8Zg=;
        b=JzMVmUbjNmAcfu4h8LEMNj9kQ1JaiQ00fZ1N1BzdC2c/EPhir8R7OR9NjMjNczuxwD
         /4eKjAx253cCsfI27mVMkYg3llFKvyRj+pkFkNU6x1FLnsqTLgpTtusAUg9CthN9fBjs
         nNAy2tEqRscbIMTXWWdTB42xk9h2hp87YixOYon1W4hOfaeWOI8rvP2wqoDR0eRXUyKv
         /5pKqvl9S4ktrGCEbcL9KNgzWEFOmuH8ZIYOta8MgkmYl7tPY9+h62VPHvZ0y1/H8QgU
         PbXy+S6TrkajgD/pEf8zdzFNkcxN6r5VO5Z6WNuKYsblSxTdi9dPx03rssOHz4g4i6Gk
         vluA==
X-Gm-Message-State: AOAM532mWL/iO3vlzdpbwLWOUmRemjRit43Qqz0m7bMs2ox2KFP6RuBT
	zCXFZJwO7HcpTxhHKvvyS8H7piETsJmTylQ3ExFECbcUq2uwzQ==
X-Google-Smtp-Source: ABdhPJwN/p6Rc4b8kCdl3yunDm3Z9BuLkUtnTDxieIP7GgLUoDB+rwInXoSG32fzj5pAO6JAo1i7yYPV/kWinyPhvnQ=
X-Received: by 2002:a05:6102:483:: with SMTP id n3mr6001692vsa.42.1631551841915;
 Mon, 13 Sep 2021 09:50:41 -0700 (PDT)
MIME-Version: 1.0
References: <CAKbZUD0-HoxnWG0ZpK9xhHxTxzX6Oif30-XVskznFVThu+SNZQ@mail.gmail.com>
 <7752ca61-c66a-2667-7c3d-ab2eb10105b7@posteo.de>
In-Reply-To: <7752ca61-c66a-2667-7c3d-ab2eb10105b7@posteo.de>
From: "Pedro Falcato" <pedro.falcato@gmail.com>
Date: Mon, 13 Sep 2021 17:50:31 +0100
Message-ID: <CAKbZUD1dE9iW2g8-AG6w7MGE7YJoeEEYpOuca31vasnCvqGMhA@mail.gmail.com>
Subject: Re: [edk2-devel] Question about EDK2 and commit signing
To: =?UTF-8?Q?Marvin_H=C3=A4user?= <mhaeuser@posteo.de>
Cc: edk2-devel-groups-io <devel@edk2.groups.io>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Hi James, Marvin,

Interesting points of view.
I still have a question though: If any part of the process got
compromised (maintainer, or in the worst case scenario, the repo
itself), is there anything that could be done
in order to assess the damage? I'd say signing could help establish
trust in a lot of those cases

Thanks,
Pedro

On Sun, Sep 12, 2021 at 10:53 AM Marvin H=C3=A4user <mhaeuser@posteo.de> wr=
ote:
>
> Hey,
>
> Just my 2 cents...
>
> Contributors: Git's stance is the author doesn't really matter as long
> as the code is acceptable. For most people, you will not know them
> anyway and it does not buy you much to know they own GitHub account XY.
> If someone is impersonating a maintainer (who would push the changes
> directly after review), that would be obvious anyway.
>
> Maintainers: Why would someone have access to your SSH key but not your
> GPG key? Especially if your commits are auto-signed, both keys are
> likely equally readable. More factors do not meaningfully increase
> security if they are not clearly separate.
>
> I'm sure nobody minds your signatures though. :)
>
> Best regards,
> Marvin
>
> On 11/09/2021 20:25, Pedro Falcato wrote:
> > Hi everyone,
> >
> > Yesterday, when pushing my first commits to edk2-platforms (as the
> > Ext4Pkg maintainer), I noticed that my commits (see 7872c98 and
> > 71f3343) stick out like a sore thumb, as I have GPG signing on my
> > commits on by default (see git config commit.gpgsign), globally across
> > all my projects.
> >
> > Is there an official stance on signed commits? I was thinking that
> > commit signing, at least for the maintainers that apply and push
> > patches, could be useful as a way to establish authenticity for every
> > commit that gets to the edk2 repos.
> >
> > Best regards,
> >
> > Pedro Falcato
> >
> >
> >=20
> >
> >
>


--=20
Pedro Falcato