From: Mark Wielaard <mark@klomp.org>
To: Jonathan Wakely <jwakely.gcc@gmail.com>
Cc: overseers@sourceware.org, gcc@gcc.gnu.org,
binutils@sourceware.org, gdb@sourceware.org,
libc-alpha@sourceware.org
Subject: Re: Updated Sourceware infrastructure plans
Date: Mon, 22 Apr 2024 12:24:48 +0200 [thread overview]
Message-ID: <966c58391b4d74bdc5ea607c76a8ba9b2c21263a.camel@klomp.org> (raw)
In-Reply-To: <CAH6eHdSnMtHOdb2WCqR83Km5b_EmuM1Ni12oMjsXU_1u9GA7Nw@mail.gmail.com>
Hi Jonathan,
On Fri, 2024-04-19 at 10:33 +0100, Jonathan Wakely wrote:
> On Thu, 18 Apr 2024 at 00:28, Mark Wielaard wrote:
> > We also encourage projects to use signed git commits where it makes
> > sense. This can be done through the gitsigur process which supports
> > hoos to only allow known (registered) signatures.
> > https://inbox.sourceware.org/overseers/ZIz4NB%2FAqWpSNj5d@elastic.org/
> > But can of course also be done in other ways. See this overview of how
> > sigsigur, sigstore and b4 can provide a signed commit/release workflow:
> > https://inbox.sourceware.org/overseers/ZJ3Tihvu6GbOb8%2FR@elastic.org/
>
> Would it be possible for gitsigur to support signing commits with ssh
> keys as well as gpg? Git supports this, and it's much easier for
> everybody than having to set up gpg.
>
> We already need an SSH key on sourceware.org to push to Git, so all
> those public keys could be treated as trusted (via git config
> gpg.ssh.allowedSignersFile). You could then sign your commits with the
> same key that you use to push to sourceware.
O, nice, I didn't even know about this, while it has been available for
years: https://blog.dbrgn.ch/2021/11/16/git-ssh-signatures/
BTW. Note that the other way around is also possible, using your gpg
key as ssh key using gpg-agent --enable-ssh-support. See e.g.
https://gnu.wildebeest.org/blog/mjw/2019/02/17/new-pgp-key/
> Does requiring using a second, different key to sign commits really
> add any value? If somebody has compromised my ssh key and can push to
> sourceware, are we hoping that they won't have compromised my gpg key
> as well?
I think it depends on the policy you use for signing commits.
Personally I only sign commits that correspond to a particular release.
But you can of course sign all commits with your ssh key at the same
time (I don't know if they mix though).
Cheers,
Mark
next prev parent reply other threads:[~2024-04-22 10:24 UTC|newest]
Thread overview: 51+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-17 23:27 Mark Wielaard
2024-04-18 6:04 ` Thomas Koenig
2024-04-18 8:14 ` FX Coudert
2024-04-18 9:01 ` Christophe Lyon
2024-04-18 11:38 ` Janne Blomqvist
2024-04-18 12:01 ` Generated files in libgfortran for Fortran intrinsic procedures (was: Updated Sourceware infrastructure plans) Tobias Burnus
2024-04-18 12:32 ` Martin Uecker
2024-04-19 9:35 ` Updated Sourceware infrastructure plans Jonathan Wakely
2024-04-18 15:56 ` Joseph Myers
2024-04-18 17:37 ` Frank Ch. Eigler
2024-04-18 17:54 ` Joseph Myers
2024-04-18 18:29 ` Matt Rice
2024-04-22 15:39 ` Tom Tromey
2024-04-23 2:55 ` Jason Merrill
2024-04-23 3:12 ` Simon Marchi
2024-04-23 3:24 ` Tom Tromey
2024-04-23 3:51 ` Jason Merrill
2024-04-23 8:56 ` Mark Wielaard
2024-04-23 9:39 ` Richard Earnshaw (lists)
2024-04-23 15:08 ` Tom Tromey
2024-04-23 15:25 ` Simon Marchi
2024-04-24 8:49 ` Aktemur, Tankut Baris
2024-04-23 4:06 ` Ian Lance Taylor
2024-04-23 9:30 ` Richard Earnshaw (lists)
2024-04-23 13:51 ` Ian Lance Taylor
2024-05-01 19:15 ` Jeff Law
2024-05-01 19:38 ` Jonathan Wakely
2024-05-01 20:20 ` Mark Wielaard
2024-05-01 20:53 ` Tom Tromey
2024-05-01 21:04 ` Simon Marchi
2024-05-02 15:35 ` Pedro Alves
2024-05-02 23:05 ` Fangrui Song
2024-05-01 20:04 ` Jason Merrill
2024-05-01 21:26 ` Mark Wielaard
2024-05-01 22:01 ` Sergio Durigan Junior
2024-05-02 12:54 ` Claudio Bantaloukas
2024-05-02 15:33 ` Pedro Alves
2024-05-03 2:59 ` Ian Lance Taylor
2024-05-01 21:38 ` Jeff Law
2024-05-02 6:47 ` Richard Biener
2024-05-02 11:29 ` Ian Lance Taylor
2024-05-02 14:26 ` Simon Marchi
2024-05-02 11:45 ` Mark Wielaard
2024-05-01 22:56 ` Tom Tromey
2024-04-23 10:34 ` Florian Weimer
2024-04-22 10:01 ` Mark Wielaard
2024-04-22 13:23 ` Joseph Myers
2024-04-19 9:33 ` Jonathan Wakely
2024-04-22 10:24 ` Mark Wielaard [this message]
2024-04-22 11:40 ` Jonathan Wakely
2024-04-23 0:48 ` Frank Ch. Eigler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=966c58391b4d74bdc5ea607c76a8ba9b2c21263a.camel@klomp.org \
--to=mark@klomp.org \
--cc=binutils@sourceware.org \
--cc=gcc@gcc.gnu.org \
--cc=gdb@sourceware.org \
--cc=jwakely.gcc@gmail.com \
--cc=libc-alpha@sourceware.org \
--cc=overseers@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).