OK to submit l10n PR with signed commits?

OK to submit l10n PR with signed commits?

[Bagas Sanjaya]

[-- Attachment #1: Type: text/plain, Size: 246 bytes --]

Hi,

So I'm interested in GPG-sign my commits (that is, ``git commit -S``) for l10n
pull request (which I should submit in this cycle). Is it OK to do that?
Drawbacks?

Thanks.

-- 
An old man doll... just what I always wanted! - Clara

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]

Re: OK to submit l10n PR with signed commits?

[Junio C Hamano]

Bagas Sanjaya <bagasdotme@gmail.com> writes:

> So I'm interested in GPG-sign my commits (that is, ``git commit -S``) for l10n
> pull request (which I should submit in this cycle). Is it OK to do that?
> Drawbacks?

Instead of talking first about drawbacks, we should consider the
upsides.  Why would we even want to see your GPG signature, when
most of us do not even have your GPG public key in our keychains?

What are we trying to achieve by doing this?

Re: OK to submit l10n PR with signed commits?

[Bagas Sanjaya]

[-- Attachment #1: Type: text/plain, Size: 692 bytes --]

On Wed, Dec 18, 2024 at 06:49:39AM -0800, Junio C Hamano wrote:
> Bagas Sanjaya <bagasdotme@gmail.com> writes:
> 
> > So I'm interested in GPG-sign my commits (that is, ``git commit -S``) for l10n
> > pull request (which I should submit in this cycle). Is it OK to do that?
> > Drawbacks?
> 
> Instead of talking first about drawbacks, we should consider the
> upsides.  Why would we even want to see your GPG signature, when
> most of us do not even have your GPG public key in our keychains?
> 
> What are we trying to achieve by doing this?

Just to ensure that PR commits are really from the respective authors.

-- 
An old man doll... just what I always wanted! - Clara

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]

Re: OK to submit l10n PR with signed commits?

[Junio C Hamano]

Bagas Sanjaya <bagasdotme@gmail.com> writes:

> On Wed, Dec 18, 2024 at 06:49:39AM -0800, Junio C Hamano wrote:
>> Bagas Sanjaya <bagasdotme@gmail.com> writes:
>> 
>> > So I'm interested in GPG-sign my commits (that is, ``git commit -S``) for l10n
>> > pull request (which I should submit in this cycle). Is it OK to do that?
>> > Drawbacks?
>> 
>> Instead of talking first about drawbacks, we should consider the
>> upsides.  Why would we even want to see your GPG signature, when
>> most of us do not even have your GPG public key in our keychains?
>> 
>> What are we trying to achieve by doing this?
>
> Just to ensure that PR commits are really from the respective authors.

Yeah, but my point was that it would not ensure, because practically
nobody has ways to validate the signature was created with your
private key, and public keyservers have been tainted long time ago
with fake keys with the same fingerprint, so would not work as a
good way to obtain your public key and be sure it is yours.

If this were "because we would want to eat our own dogfood", and if
we find bugs in our code when different person sign their commit
with their own signature scheme (i.e. you may sign yours with your
GPG key, somebody else may use their SSH key, and yet other people
use their X.509 certs, it might give us valuable insights, but the
resulting history may be irrevocably tainted if the bug is on the
signing side (if the bug is on the verification side, that is OK).

Thanks.

Re: OK to submit l10n PR with signed commits?

[Bagas Sanjaya]

[-- Attachment #1: Type: text/plain, Size: 1758 bytes --]

On Wed, Dec 18, 2024 at 10:02:34PM -0800, Junio C Hamano wrote:
> Bagas Sanjaya <bagasdotme@gmail.com> writes:
> 
> > On Wed, Dec 18, 2024 at 06:49:39AM -0800, Junio C Hamano wrote:
> >> Bagas Sanjaya <bagasdotme@gmail.com> writes:
> >> 
> >> > So I'm interested in GPG-sign my commits (that is, ``git commit -S``) for l10n
> >> > pull request (which I should submit in this cycle). Is it OK to do that?
> >> > Drawbacks?
> >> 
> >> Instead of talking first about drawbacks, we should consider the
> >> upsides.  Why would we even want to see your GPG signature, when
> >> most of us do not even have your GPG public key in our keychains?
> >> 
> >> What are we trying to achieve by doing this?
> >
> > Just to ensure that PR commits are really from the respective authors.
> 
> Yeah, but my point was that it would not ensure, because practically
> nobody has ways to validate the signature was created with your
> private key, and public keyservers have been tainted long time ago
> with fake keys with the same fingerprint, so would not work as a
> good way to obtain your public key and be sure it is yours.
> 
> If this were "because we would want to eat our own dogfood", and if
> we find bugs in our code when different person sign their commit
> with their own signature scheme (i.e. you may sign yours with your
> GPG key, somebody else may use their SSH key, and yet other people
> use their X.509 certs, it might give us valuable insights, but the
> resulting history may be irrevocably tainted if the bug is on the
> signing side (if the bug is on the verification side, that is OK).
> 
> Thanks.

OK, thanks! I will stick to unsigned commits then.

-- 
An old man doll... just what I always wanted! - Clara

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]

Re: OK to submit l10n PR with signed commits?

[Junio C Hamano]

Junio C Hamano <gitster@pobox.com> writes:

>>> Instead of talking first about drawbacks, we should consider the
>>> upsides.  Why would we even want to see your GPG signature, when
>>> most of us do not even have your GPG public key in our keychains?
>>> 
>>> What are we trying to achieve by doing this?
>>
>> Just to ensure that PR commits are really from the respective authors.
>
> Yeah, but my point was that it would not ensure, because practically
> nobody has ways to validate the signature was created with your
> private key, and public keyservers have been tainted long time ago
> with fake keys with the same fingerprint, so would not work as a
> good way to obtain your public key and be sure it is yours.

I think I should rethink this.

Even though I think it is fair to say that more than 99% of people
won't have your public key and even if somebody gave them saying
"this is Bagas' key", they do not have a way to independently verify
it is truly your key (and I think the same thing can be said of my
key).  But in today's world, there are a few places that it does not
matter all that much that you and I do not have each others' keys:
hosting sites.

I think both GitHub and GitLab lets you register your public key, so
when they are about to show a commit (or a tag for that matter),
they can

 - notice it is signed;
 - look up the author/tagger/committer ident of the Git object;
 - look up the ident in their user database;
 - find the key(s) of that user account; and
 - verify the signature using the key(s).

and display the user account that the Git object is signed by a key
registered to it.

Now there may be ways to contaminate hosting sites with fake keys
that have the same fingerprints as the real ones registered to fake
user accounts, and that may render such a feature at the hosting
sites less useful.  I haven't thought through the security
implications.

Of course, $CORP or other organizations can have their members
register their public keys and do pretty much the same thing within
their closed world.  Safeguarding the public key database is their
problem so I won't be worried about, unlike hosting sites where
practically anybody and their dogs can create accounts ;-).

Thanks.

Re: OK to submit l10n PR with signed commits?

[Caleb White]

On Wed Dec 18, 2024 at 4:08 AM CST, Bagas Sanjaya wrote:
> So I'm interested in GPG-sign my commits (that is, ``git commit -S``) for l10n
> pull request (which I should submit in this cycle). Is it OK to do that?
> Drawbacks?

The GPG signature is lost when emailing patches---so unless the PR is
actually being merged directly (and not using GGG) then it doesn't
matter.

Best,

Caleb

Re: OK to submit l10n PR with signed commits?

[Kristoffer Haugsbakk]

On Thu, Dec 19, 2024, at 18:06, Caleb White wrote:
> On Wed Dec 18, 2024 at 4:08 AM CST, Bagas Sanjaya wrote:
>> So I'm interested in GPG-sign my commits (that is, ``git commit -S``) for l10n
>> pull request (which I should submit in this cycle). Is it OK to do that?
>> Drawbacks?
>
> The GPG signature is lost when emailing patches---so unless the PR is
> actually being merged directly (and not using GGG) then it doesn't
> matter.

The i10n project takes PRs on GitHub. That project is then later merged into
Junio’s tree. That’s how it’s relevant.

https://github.com/git-l10n/git-po/

Re: OK to submit l10n PR with signed commits?

[Caleb White]

On Thu Dec 19, 2024 at 11:27 AM CST, Kristoffer Haugsbakk wrote:
> On Thu, Dec 19, 2024, at 18:06, Caleb White wrote:
>> On Wed Dec 18, 2024 at 4:08 AM CST, Bagas Sanjaya wrote:
>>> So I'm interested in GPG-sign my commits (that is, ``git commit -S``) for l10n
>>> pull request (which I should submit in this cycle). Is it OK to do that?
>>> Drawbacks?
>>
>> The GPG signature is lost when emailing patches---so unless the PR is
>> actually being merged directly (and not using GGG) then it doesn't
>> matter.
>
> The i10n project takes PRs on GitHub. That project is then later merged into
> Junio’s tree. That’s how it’s relevant.

Ah, good to know! However, I don't see any downsides to signing your
commits. I have git configured to always sign my commits and tags
automatically.

Best,

Caleb

Re: OK to submit l10n PR with signed commits?

[Kristoffer Haugsbakk]

(Adding back To/CC)

On Thu, Dec 19, 2024, at 19:35, Junio C Hamano wrote:
> "Kristoffer Haugsbakk" <kristofferhaugsbakk@fastmail.com> writes:
>
>>> The GPG signature is lost when emailing patches---so unless the PR is
>>> actually being merged directly (and not using GGG) then it doesn't
>>> matter.
>>
>> The i10n project takes PRs on GitHub. That project is then later merged into
>> Junio’s tree. That’s how it’s relevant.
>
> Both of you are correct ;-)
>
>> https://github.com/git-l10n/git-po/
>
> I see l10n here; where did i10n come from (I know what i18n is).
> Sorry, I couldn't resist.

I thought we were talking about the incineration subproject. ;)