AW: QT4 CG Meeting 002 Minutes, 2022-09-13

I managed to create signed pull requests. Some comments on what I needed to do in addition to what is described in the GitHub documentation (on Windows 11, with git 2.37.0 and ssh 9.0p1):

• Adding the public SSH key via git config --global user.signingkey didn’t work. I had to add the local path to the key instead (using forward slashes).
• I had to upload my public SSH key for a second time, with “Signing Key” supplied as key type (https://github.com/settings/ssh/new)
• I created a local allowedSignersFile to be able to verify the signatures before pushing them to the repository (see e.g. https://blog.dbrgn.ch/2021/11/16/git-ssh-signatures/)

If others encounter similar problems, I’d still be open to discuss if we need signing.

Hope this helps,
Christian

________________________________
Von: Christian Grün
Gesendet: Mittwoch, 28. September 2022 09:04
An: Norm Tovey-Walsh <norm@saxonica.com>; Michael Kay <mike@saxonica.com>
Cc: public-xslt-40@w3.org <public-xslt-40@w3.org>
Betreff: AW: QT4 CG Meeting 002 Minutes, 2022-09-13

I have written some new qt4 tests for fn:intersperse, and I’m encountering the same problem as Michael did. My latest commits need to be signed to be accepted:

https://github.com/qt4cg/qt4tests/pull/18

So far, I haven’t spent more than an hour to make this work. I eventually wondered if we need this strict rule for our workflow: The number of contributors is small and well-known, and I assume that no pull request will simply be merged without someone having had a brief look at its contents.

If we decide to disable the rule, it could probably be done by looking at Settings » Branches » Branch Protection Rules.

What does everyone think?
Christian

________________________________
Von: Norm Tovey-Walsh
Gesendet: Mittwoch, 14. September 2022 09:58
Bis: Michael Kay
Cc: public-xslt-40@w3.org
Betreff: Re: QT4 CG Meeting 002 Minutes, 2022-09-13

Michael Kay <mike@saxonica.com> writes:
> I created and pushed a branch with these changes, but creating a pull
> request failed with an error about signing the commits (a process I'm
> not familiar with).

GitHub is attempting to tighten security on public repositories. (I’ll
have another message about this in a few minutes) Here are the details
about signing commits:

  https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits

Basically, this assures that a commit that is purported to have come
from Michael Kay really came from you.

We can probably turn this off if it’s odious, but signed commits seemed
like a reasonable precaution.

                                        Be seeing you,
                                          norm

--
Norm Tovey-Walsh
Saxonica

Received on Wednesday, 28 September 2022 08:36:40 UTC