nifi-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mike Thomsen <mikerthom...@gmail.com>
Subject Re: [EXT] Re: GitHub Stuff
Date Wed, 12 Jun 2019 15:36:38 GMT
I tried once to publish a GPG key I generated on my MBP, but didn't seem to
be able to get far with it. Are there any good ASF-centric resources for
setting up a GPG key?

Thanks,

Mike

On Wed, Jun 12, 2019 at 2:20 AM Koji Kawamura <ijokarumawak@gmail.com>
wrote:

> Thanks Bryan for the heads up.
>
> My GPG key had been expired. I've renewed my KEY by extending expiration.
> Now I confirmed that my commits is marked as 'verified' on Github.
>
> Koji
>
> On Wed, Jun 12, 2019 at 5:43 AM Andy LoPresto <alopresto@apache.org>
> wrote:
> >
> > Peter,
> >
> > If you have specific issues setting it up, I’m happy to help debug. I
> haven’t done it recently but am willing to investigate with you.
> >
> > Andy LoPresto
> > alopresto@apache.org
> > alopresto.apache@gmail.com
> > PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69
> >
> > > On Jun 11, 2019, at 12:55 PM, Bryan Bende <bbende@gmail.com> wrote:
> > >
> > > I will admit I've never setup GPG signing on Linux. I'm sure there are
> > > some additional challenges there.
> > >
> > > Not sure if it is helpful, but there are a few things related to Linux
> > > that are mentioned on this Github page:
> > >
> > > https://help.github.com/en/articles/telling-git-about-your-signing-key
> > >
> > >
> > > On Tue, Jun 11, 2019 at 3:45 PM Kevin Doran <kdoran@apache.org> wrote:
> > >>
> > >> Yep, I support these suggestions.
> > >>
> > >> Setting up GPG does have a learning curve for folks that haven't done
> > >> it before, but I think our community would be helpful in assisting
> > >> folks on the mailing list and Apache NiFi Slack where they run into
> > >> trouble. It's a good practice to learn and once setup there's not much
> > >> more to do to get the benefits of it.
> > >>
> > >> Setting up GPG is also required when acting as release manager in
> > >> order to sign convenience binaries (and soon, as Andy brought up,
> > >> maven release artifacts as well - I think that is also a good idea),
> > >> so the effort required to get setup for GPG has lots of benefits for
> > >> folks that are interested in RM'ing as well.
> > >>
> > >> Kevin
> > >>
> > >> On Tue, Jun 11, 2019 at 3:30 PM Peter Wicks (pwicks) <
> pwicks@micron.com> wrote:
> > >>>
> > >>> I like having signed commits. I develop on both Windows and Linux,
> but have only had success getting signing working on Windows (which was a
> bit complicated as it was). You can see when I switched from mostly Windows
> to mostly Linux by when I stopped signing commits...
> > >>>
> > >>> Thanks,
> > >>>  Peter
> > >>>
> > >>> -----Original Message-----
> > >>> From: Andy LoPresto <alopresto@apache.org>
> > >>> Sent: Tuesday, June 11, 2019 1:25 PM
> > >>> To: dev@nifi.apache.org
> > >>> Subject: [EXT] Re: GitHub Stuff
> > >>>
> > >>> I strongly support both of these suggestions. Thanks for starting
> the conversation Bryan. GPG signing is very important for security and for
> encouraging the rest of the community to adopt these practices as well.
> > >>>
> > >>>
> > >>> Andy LoPresto
> > >>> alopresto@apache.org
> > >>> alopresto.apache@gmail.com
> > >>> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69
> > >>>
> > >>>> On Jun 11, 2019, at 11:42 AM, Bryan Bende <bbende@gmail.com>
wrote:
> > >>>>
> > >>>> I had two thoughts related to our GitHub usage that I wanted to
> throw
> > >>>> out there for PMC members and committers...
> > >>>>
> > >>>> 1) I think it would be helpful if everyone setup the link between
> > >>>> their Apache id and github [1]. Setting up this link puts you into
> the
> > >>>> nifi-committers group in Apache (currently 17 of us are in there),
> and
> > >>>> I believe this is what controls the list of users that can be
> selected
> > >>>> as a reviewer on a pull request. Since PRs are the primary form
of
> > >>>> contribution, it would be nice if all of the PMC/committers were
in
> > >>>> the reviewer list, but of course you can continue to commit against
> > >>>> Gitbox without doing this.
> > >>>>
> > >>>> 2) I also think it would be nice if most of the commits in the
repo
> > >>>> were signed commits that show up as "Verified" in GitHub [2]. Right
> > >>>> now I think we lose the verification if the user reviewing the
> commit
> > >>>> doesn't have signing setup, because when you amend the commit to
add
> > >>>> "This closes ...", it technically produces a new commit hash, thus
> > >>>> making the original signature no longer apply (at least this is
> what I
> > >>>> think is happening, but other may know more).
> > >>>>
> > >>>> These are obviously just my opinions and no one has to do these
> > >>>> things, but just thought I would throw it out there for discussion
> in
> > >>>> case anyone wasn't aware.
> > >>>>
> > >>>> -Bryan
> > >>>>
> > >>>> [1]
> > >>>>
> https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgitb
> > >>>> ox.apache.org%2Fsetup%2F&amp;data=02%7C01%7Cpwicks%40micron.com
> %7Cc2f2
> > >>>>
> 0a00f6424597c10708d6eea27d65%7Cf38a5ecd28134862b11bac1d563c806f%7C0%7C
> > >>>>
> 0%7C636958778999592924&amp;sdata=mJ59FD6KSYn1jXHN0yRRagKf6BHdWn7N1ZXmV
> > >>>> 4BtBi8%3D&amp;reserved=0 [2]
> > >>>>
> https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fhelp
> > >>>> .github.com
> %2Fen%2Farticles%2Fsigning-commits&amp;data=02%7C01%7Cpwick
> > >>>> s%40micron.com
> %7Cc2f20a00f6424597c10708d6eea27d65%7Cf38a5ecd28134862b1
> > >>>>
> 1bac1d563c806f%7C0%7C0%7C636958778999592924&amp;sdata=%2BiByT0SfcxSsoL
> > >>>> XgS4VFLI1DTBn9BW3vD1iPvCCqRSI%3D&amp;reserved=0
> > >>>
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message