Conversation
jbonofre
left a comment
jbonofre
left a comment
There was a problem hiding this comment.
Good idea !
FYI, here's CONTRIBUTING.md from Polaris that is interesting.
| @@ -0,0 +1,62 @@ | |||
| # Contributing Guidelines | |||
There was a problem hiding this comment.
The ASF header is missing here.
|
|
||
| 2. Apache ActiveMQ releases are monitored with reproducible builds to ensure published binaries match the source tree | ||
|
|
||
| ## Credits |
|
|
||
| ## Triaging Issues | ||
|
|
||
| ## Code Contributions |
There was a problem hiding this comment.
We can have a GH Issue template to help there.
|
|
||
| ### Certification of origin | ||
|
|
||
| 1. Apache ActiveMQ committers should sign all commits using an SSH key tied to their apache.org email address |
There was a problem hiding this comment.
I configured mine because I agree this is a good practise. But I think you should bring the discussion to the dev@ mailing list and most likely to a vote.
If you want to mention SSH, you should also mention GPG because most committers already have Apache signing keys for releases and it's pretty straight forward to reuse it to sign commits. (this is what I have done for instance).
There was a problem hiding this comment.
FYI, that's not strictly required from ASF standpoint. I don't want to see anything that can be seen as "limiting" the contributions.
Not sure I'm a big fan here.
There was a problem hiding this comment.
This shouldn't be seen as limiting. The benefit of using SSH keys it that Github (or anyone else) never has the private secret. This is more secure all-around and starting to become the standard practice (and requirement!) for SOC2 and ISO security certifications used by enterprises (aka end users of ActiveMQ).
As a project, ActveMQ can present a strong, and modern security stance by having committers sign commits vs relying on GH secrets or passkeys.
edit: I'll make a ssh signing quick-start guide to accompany this to show how easy it is to use over passwords/tokens/passkeys.
There was a problem hiding this comment.
My point is that it should not be required, but recommanded.
There was a problem hiding this comment.
I agree we can mark the statement as 'should' for now.
I do think we should try to progress towards required. Perhaps we let the new processes settle in this year and review how its working.
There was a problem hiding this comment.
If you want to mention SSH, you should also mention GPG because most committers already have Apache signing keys for releases and it's pretty straight forward to reuse it to sign commits. (this is what I have done for instance).
One benefit of using SSH keys over GPG as it allows one key for git id/authn/authz and code signing.
3 participants
No description provided.