From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-vs1-f48.google.com (mail-vs1-f48.google.com [209.85.217.48]) by mx.groups.io with SMTP id smtpd.web09.32545.1631551842746490432 for ; Mon, 13 Sep 2021 09:50:42 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20210112 header.b=i4US7WwF; spf=pass (domain: gmail.com, ip: 209.85.217.48, mailfrom: pedro.falcato@gmail.com) Received: by mail-vs1-f48.google.com with SMTP id d6so9065172vsr.7 for ; Mon, 13 Sep 2021 09:50:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=qd95AlFgvV/JrvK5LVTl1jM4USrCHwiEQB35tGdo8Zg=; b=i4US7WwFGKjfnohSwPk59u00/w0M6CcWAQ0WfFdt+EF7G0I63vDth+YC5qMISbmJr0 0+sTGFIEbSmwiBWJNSljvQUam2QYnpUdex5GjE89xo44rszgNsDjx0Le+USJE7zspQ1m 7DlmTBKWo+62VekaEwUar5svzOaDOwjpfbaXaGO3hJb8/SYtcbPe1lTwjVbgFhKpXpfn Ai0Hz2sckcPXsdGZF6tOd10ZQJ1XD455aIHcQI1cDMgnwYzQMS88OwWuN3aNdgAXc48h viKWzFQm9UZVGD0vRKjqdldNn6bn6PKmr6FyAL8ugPvMbudU5wIbhQUaS+ZTPXKEYiW3 3/bQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=qd95AlFgvV/JrvK5LVTl1jM4USrCHwiEQB35tGdo8Zg=; b=JzMVmUbjNmAcfu4h8LEMNj9kQ1JaiQ00fZ1N1BzdC2c/EPhir8R7OR9NjMjNczuxwD /4eKjAx253cCsfI27mVMkYg3llFKvyRj+pkFkNU6x1FLnsqTLgpTtusAUg9CthN9fBjs nNAy2tEqRscbIMTXWWdTB42xk9h2hp87YixOYon1W4hOfaeWOI8rvP2wqoDR0eRXUyKv /5pKqvl9S4ktrGCEbcL9KNgzWEFOmuH8ZIYOta8MgkmYl7tPY9+h62VPHvZ0y1/H8QgU PbXy+S6TrkajgD/pEf8zdzFNkcxN6r5VO5Z6WNuKYsblSxTdi9dPx03rssOHz4g4i6Gk vluA== X-Gm-Message-State: AOAM532mWL/iO3vlzdpbwLWOUmRemjRit43Qqz0m7bMs2ox2KFP6RuBT zCXFZJwO7HcpTxhHKvvyS8H7piETsJmTylQ3ExFECbcUq2uwzQ== X-Google-Smtp-Source: ABdhPJwN/p6Rc4b8kCdl3yunDm3Z9BuLkUtnTDxieIP7GgLUoDB+rwInXoSG32fzj5pAO6JAo1i7yYPV/kWinyPhvnQ= X-Received: by 2002:a05:6102:483:: with SMTP id n3mr6001692vsa.42.1631551841915; Mon, 13 Sep 2021 09:50:41 -0700 (PDT) MIME-Version: 1.0 References: <7752ca61-c66a-2667-7c3d-ab2eb10105b7@posteo.de> In-Reply-To: <7752ca61-c66a-2667-7c3d-ab2eb10105b7@posteo.de> From: "Pedro Falcato" Date: Mon, 13 Sep 2021 17:50:31 +0100 Message-ID: Subject: Re: [edk2-devel] Question about EDK2 and commit signing To: =?UTF-8?Q?Marvin_H=C3=A4user?= Cc: edk2-devel-groups-io Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi James, Marvin, Interesting points of view. I still have a question though: If any part of the process got compromised (maintainer, or in the worst case scenario, the repo itself), is there anything that could be done in order to assess the damage? I'd say signing could help establish trust in a lot of those cases Thanks, Pedro On Sun, Sep 12, 2021 at 10:53 AM Marvin H=C3=A4user wr= ote: > > Hey, > > Just my 2 cents... > > Contributors: Git's stance is the author doesn't really matter as long > as the code is acceptable. For most people, you will not know them > anyway and it does not buy you much to know they own GitHub account XY. > If someone is impersonating a maintainer (who would push the changes > directly after review), that would be obvious anyway. > > Maintainers: Why would someone have access to your SSH key but not your > GPG key? Especially if your commits are auto-signed, both keys are > likely equally readable. More factors do not meaningfully increase > security if they are not clearly separate. > > I'm sure nobody minds your signatures though. :) > > Best regards, > Marvin > > On 11/09/2021 20:25, Pedro Falcato wrote: > > Hi everyone, > > > > Yesterday, when pushing my first commits to edk2-platforms (as the > > Ext4Pkg maintainer), I noticed that my commits (see 7872c98 and > > 71f3343) stick out like a sore thumb, as I have GPG signing on my > > commits on by default (see git config commit.gpgsign), globally across > > all my projects. > > > > Is there an official stance on signed commits? I was thinking that > > commit signing, at least for the maintainers that apply and push > > patches, could be useful as a way to establish authenticity for every > > commit that gets to the edk2 repos. > > > > Best regards, > > > > Pedro Falcato > > > > > >=20 > > > > > --=20 Pedro Falcato