From: Jonathan Wakely <jwakely.gcc@gmail.com>
To: Mark Wielaard <mark@klomp.org>
Cc: overseers@sourceware.org, gcc@gcc.gnu.org,
binutils@sourceware.org, gdb@sourceware.org,
libc-alpha@sourceware.org
Subject: Re: Updated Sourceware infrastructure plans
Date: Mon, 22 Apr 2024 12:40:31 +0100 [thread overview]
Message-ID: <CAH6eHdTNnGXYj-4bRauDhR8pWZspRFJOxP++kRYvSqWkd+Ygdw@mail.gmail.com> (raw)
In-Reply-To: <966c58391b4d74bdc5ea607c76a8ba9b2c21263a.camel@klomp.org>
On Mon, 22 Apr 2024 at 11:24, Mark Wielaard wrote:
>
> Hi Jonathan,
>
> On Fri, 2024-04-19 at 10:33 +0100, Jonathan Wakely wrote:
> > On Thu, 18 Apr 2024 at 00:28, Mark Wielaard wrote:
> > > We also encourage projects to use signed git commits where it makes
> > > sense. This can be done through the gitsigur process which supports
> > > hoos to only allow known (registered) signatures.
> > > https://inbox.sourceware.org/overseers/ZIz4NB%2FAqWpSNj5d@elastic.org/
> > > But can of course also be done in other ways. See this overview of how
> > > sigsigur, sigstore and b4 can provide a signed commit/release workflow:
> > > https://inbox.sourceware.org/overseers/ZJ3Tihvu6GbOb8%2FR@elastic.org/
> >
> > Would it be possible for gitsigur to support signing commits with ssh
> > keys as well as gpg? Git supports this, and it's much easier for
> > everybody than having to set up gpg.
> >
> > We already need an SSH key on sourceware.org to push to Git, so all
> > those public keys could be treated as trusted (via git config
> > gpg.ssh.allowedSignersFile). You could then sign your commits with the
> > same key that you use to push to sourceware.
>
> O, nice, I didn't even know about this, while it has been available for
> years: https://blog.dbrgn.ch/2021/11/16/git-ssh-signatures/
Yeah, I only learned about it recently, from:
https://fosdem.org/2024/schedule/event/fosdem-2024-3611-so-you-think-you-know-git/
>
> BTW. Note that the other way around is also possible, using your gpg
> key as ssh key using gpg-agent --enable-ssh-support. See e.g.
> https://gnu.wildebeest.org/blog/mjw/2019/02/17/new-pgp-key/
>
> > Does requiring using a second, different key to sign commits really
> > add any value? If somebody has compromised my ssh key and can push to
> > sourceware, are we hoping that they won't have compromised my gpg key
> > as well?
>
> I think it depends on the policy you use for signing commits.
> Personally I only sign commits that correspond to a particular release.
> But you can of course sign all commits with your ssh key at the same
> time (I don't know if they mix though).
>
> Cheers,
>
> Mark
next prev parent reply other threads:[~2024-04-22 11:40 UTC|newest]
Thread overview: 51+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-17 23:27 Mark Wielaard
2024-04-18 6:04 ` Thomas Koenig
2024-04-18 8:14 ` FX Coudert
2024-04-18 9:01 ` Christophe Lyon
2024-04-18 11:38 ` Janne Blomqvist
2024-04-18 12:01 ` Generated files in libgfortran for Fortran intrinsic procedures (was: Updated Sourceware infrastructure plans) Tobias Burnus
2024-04-18 12:32 ` Martin Uecker
2024-04-19 9:35 ` Updated Sourceware infrastructure plans Jonathan Wakely
2024-04-18 15:56 ` Joseph Myers
2024-04-18 17:37 ` Frank Ch. Eigler
2024-04-18 17:54 ` Joseph Myers
2024-04-18 18:29 ` Matt Rice
2024-04-22 15:39 ` Tom Tromey
2024-04-23 2:55 ` Jason Merrill
2024-04-23 3:12 ` Simon Marchi
2024-04-23 3:24 ` Tom Tromey
2024-04-23 3:51 ` Jason Merrill
2024-04-23 8:56 ` Mark Wielaard
2024-04-23 9:39 ` Richard Earnshaw (lists)
2024-04-23 15:08 ` Tom Tromey
2024-04-23 15:25 ` Simon Marchi
2024-04-24 8:49 ` Aktemur, Tankut Baris
2024-04-23 4:06 ` Ian Lance Taylor
2024-04-23 9:30 ` Richard Earnshaw (lists)
2024-04-23 13:51 ` Ian Lance Taylor
2024-05-01 19:15 ` Jeff Law
2024-05-01 19:38 ` Jonathan Wakely
2024-05-01 20:20 ` Mark Wielaard
2024-05-01 20:53 ` Tom Tromey
2024-05-01 21:04 ` Simon Marchi
2024-05-02 15:35 ` Pedro Alves
2024-05-02 23:05 ` Fangrui Song
2024-05-01 20:04 ` Jason Merrill
2024-05-01 21:26 ` Mark Wielaard
2024-05-01 22:01 ` Sergio Durigan Junior
2024-05-02 12:54 ` Claudio Bantaloukas
2024-05-02 15:33 ` Pedro Alves
2024-05-03 2:59 ` Ian Lance Taylor
2024-05-01 21:38 ` Jeff Law
2024-05-02 6:47 ` Richard Biener
2024-05-02 11:29 ` Ian Lance Taylor
2024-05-02 14:26 ` Simon Marchi
2024-05-02 11:45 ` Mark Wielaard
2024-05-01 22:56 ` Tom Tromey
2024-04-23 10:34 ` Florian Weimer
2024-04-22 10:01 ` Mark Wielaard
2024-04-22 13:23 ` Joseph Myers
2024-04-19 9:33 ` Jonathan Wakely
2024-04-22 10:24 ` Mark Wielaard
2024-04-22 11:40 ` Jonathan Wakely [this message]
2024-04-23 0:48 ` Frank Ch. Eigler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAH6eHdTNnGXYj-4bRauDhR8pWZspRFJOxP++kRYvSqWkd+Ygdw@mail.gmail.com \
--to=jwakely.gcc@gmail.com \
--cc=binutils@sourceware.org \
--cc=gcc@gcc.gnu.org \
--cc=gdb@sourceware.org \
--cc=libc-alpha@sourceware.org \
--cc=mark@klomp.org \
--cc=overseers@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).