From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by sourceware.org (Postfix) with ESMTPS id 2DD453858CDA for ; Tue, 23 Apr 2024 00:48:29 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 2DD453858CDA Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=redhat.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=redhat.com ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 2DD453858CDA Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=170.10.133.124 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1713833310; cv=none; b=Cbv54E2yOOQFg3lj8ERIUeAhbWOD3RF/NXjXfBOcInTHdWRquLATvAxmHC0RO1feV1j3Ux//xVoKWykByNtEMDBR3oT9TZa2kaohG93STxSwWPZstzkJH2YkK9zfaCykxd1rUBX/gxNa2pWKHhyObbMzqcPdu5NreDjdypoyvZs= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1713833310; c=relaxed/simple; bh=6NCz2H0Og1KLVq+BU0Cx2gOQ+/s4n1QwWa1+c1XRk3M=; h=DKIM-Signature:Date:From:To:Subject:Message-ID:MIME-Version; b=BghIl/TdlNhTCY4d8gDzYY6wI48emZsE8LHUNFuEhCDvIMX0v3oQTgdnIO4X9/eNp2IM3IS1SQuNAaUjmiOsQLrrBZBNbesS/qoHEOwl56aVtPbxKvtPJ//hVuKB44z0oHggo1grE8XjZLean9ETngnjPNvaTmBqqstrlkDLG90= ARC-Authentication-Results: i=1; server2.sourceware.org DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1713833308; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=hSPVMY554iYutWWEWwD2wh0FS0neNgCl8hSfb4D1fl0=; b=CuemKfwrP1Qqf5rv0RvOdS6iAkMUKUmTdxxO7UiTVC0Z2rMIe8ZTAGxm5vcVi4VSqmxcYf CgN9Fx6QZRheJhhU2ywlrAzUWxd0p/wzjahj2aDWLtvRSbMsP0/O5E9h/57FdtAULIAzIZ 3LjBjIqxQH5hLeSyASCmVwkSTTQMj6w= Received: from mimecast-mx02.redhat.com (mx-ext.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-624-Hw6IncC3O2-Sc5KKnxmNNg-1; Mon, 22 Apr 2024 20:48:25 -0400 X-MC-Unique: Hw6IncC3O2-Sc5KKnxmNNg-1 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.rdu2.redhat.com [10.11.54.7]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id A2DCC3C025B2; Tue, 23 Apr 2024 00:48:24 +0000 (UTC) Received: from redhat.com (unknown [10.22.8.11]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 6F4351C0654B; Tue, 23 Apr 2024 00:48:24 +0000 (UTC) Received: from fche by redhat.com with local (Exim 4.94.2) (envelope-from ) id 1rz4Kc-0003HG-Pa; Mon, 22 Apr 2024 20:48:23 -0400 Date: Mon, 22 Apr 2024 20:48:22 -0400 From: "Frank Ch. Eigler" To: Overseers mailing list Cc: Mark Wielaard , Jonathan Wakely , gcc@gcc.gnu.org, binutils@sourceware.org, gdb@sourceware.org, libc-alpha@sourceware.org Subject: Re: Updated Sourceware infrastructure plans Message-ID: <20240423004822.GC4681@redhat.com> References: <20240417232725.GC25080@gnu.wildebeest.org> MIME-Version: 1.0 In-Reply-To: User-Agent: Mutt/1.12.0 (2019-05-25) X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.7 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Spam-Status: No, score=-7.4 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_NONE,TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: Hi - > Would it be possible for gitsigur to support signing commits with ssh > keys as well as gpg? Git supports this, and it's much easier for > everybody than having to set up gpg. [...] It would save some effort, but OTOH plenty of people have gpg keys too, and the common desktop key agents support both. > We already need an SSH key on sourceware.org to push to Git, so all > those public keys could be treated as trusted (via git config > gpg.ssh.allowedSignersFile). [...] One difference is that gitsigur aims to prevent impersonation, by tying the recorded committer to a designated set of keys for that committer. The git builtin ssh-signing gadget doesn't attempt this. But maybe just a small matter of wrapping might do the job. Filed https://sourceware.org/bugzilla/show_bug.cgi?id=31670 . > I'm already signing my GCC commits that way, without needing to use > gpg or gitsigur: Great, keep it up! Nothing has been stopping people from signing their commits any way they like, including even more complex ways like sigstore. gitsigur verification is not enabled (even in permissive mode) at all for gcc at this time. > commit 7c2a9dbcc2c1cb1563774068c59d5e09edc59f06 [r14-10008-g7c2a9dbcc2c1cb] > Good "git" signature for jwakely@redhat.com with RSA key > SHA256:8rFaYhDWn09c3vjsYIg2JE9aSpcxzTnCqajoKevrUUo Thanks, this will help test a prototype later on. - FChE