Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:123065 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5]) by qa.php.net (Postfix) with ESMTPS id E4CA51A009C for ; Tue, 9 Apr 2024 18:44:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1712688311; bh=ZauMzV09TOkl+iuvL1Vore/s1VBs04683LTtA4EHRQM=; h=Date:Subject:To:References:From:In-Reply-To:From; b=Xs6hE19O6ZlCz843QJGbkZEpNys5IMdq+FnludxnoGvMOrHguUQsJv9UCkWwAyy+k J2ybw5D8BAHXTRotw2vA/Sv4AT/u8NzkVBu5BRSnHiN4I+5ppmeejU3atRTUd1sy2K D1EPTd1ZWF8jEEDNjjlL/I2/Kb6zA3v/5L6jkWJTHG86oON9pr60TmpA2qeHmvnqgR yR837Rw7QQmCKTFDPtqEWOczIifL24UDPk+EdHlE7oBDiHiXREGq/p/B+dF4bQYu8v hY8LNLHtrgfRtKB6prKzPm92FP+rkW650Q2qBb5hnFzo5s7W8ArFz6YlpUsN0/Qnvg XUQWd1L4Z9hCg== Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 8631C18038E for ; Tue, 9 Apr 2024 18:45:10 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=0.6 required=5.0 tests=BAYES_50,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,SPF_HELO_NONE, SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=4.0.0 X-Spam-Virus: No X-Envelope-From: Received: from chrono.xqk7.com (chrono.xqk7.com [176.9.45.72]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Tue, 9 Apr 2024 18:45:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bastelstu.be; s=mail20171119; t=1712688276; bh=3/CCjIkTl9LMwQyAsh6tPD30n5yIIpfxuO4o6qK7LlE=; h=Message-ID:Date:MIME-Version:Subject:To:References:From: In-Reply-To:Content-Type:from:to:cc:subject:message-id; b=LaJRp+4qTmayb93B6wDf9Uscy+fa1C01aZp8qznyvs6t536ME6VXbQY1f//cpg+O/ xAsf3yNNBLqqKsA+gPqwbZ8rZE9OP2PLdz/bHo1JcNH541HK2UE7CX8kx6vQBqOI07 ET52OCJjdTdRPDDm9FmY3BEUTtry0sAP49P64QOB2EDUrL+qWxld+mnoQld8LrtsFj MhNi1/p4CBzL1b54I50dOLkS9X9C+tr2Dqfm3J4B7k9jqR+wKRV+dxNjwiQ9JmRPu3 W5WbZfPSNaqzQnpPTDb+aAozPZJNOsV4yg1PiLR+Sp73yf9mEKpbqGeyaLCs2bafoC JZXdugJ4lD2Fw== Message-ID: Date: Tue, 9 Apr 2024 20:44:34 +0200 Precedence: bulk list-help: list-post: List-Id: internals.lists.php.net MIME-Version: 1.0 Subject: Re: [PHP-DEV] Requiring GPG Commit Signing To: Derick Rethans , PHP Developers Mailing List References: <3e988b3b-65b8-13d3-16cf-1296bfdd7ed2@php.net> <848f7e51-b987-93d0-f900-5f09302ebd12@php.net> Content-Language: en-US In-Reply-To: <848f7e51-b987-93d0-f900-5f09302ebd12@php.net> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit From: tim@bastelstu.be (=?UTF-8?Q?Tim_D=C3=BCsterhus?=) Hi On 4/9/24 13:02, Derick Rethans wrote: > It seems that most of the reply to this was positive, although with the > realisation that it wouldn't be a panacea. > > I will therefore propose a minimalistic RFC to create this requirement > to sign commits to all branches, in the next few days. > > I probably would have prefered requiring *GPG* signing (due to a web of > trust), but GitHub's requirement isn't that granuar (it's either > SSG+GPG, or nothing). > > Any other opinions, I'd be delighted to hear them. Web of trust for PGP is effectively dead since https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f. Requiring any type of signature on the commits is fine. The distinct public keys will build reputation on their own by making good commits. More signatures is certainly better than fewer. In fact I would find it sufficient to just *strongly encourage* the regular committers to set up signing, even without actually enforcing it on GitHub. Best regards Tim Düsterhus