Comments (4)
Looking into this a bit further, the --signoff
requirement is from the need for CNCF to enforce a commit's "Developer Certificate of Origin". I discussed this with @duglin in Slack. That conversation is pasted below.
I think this issue should be closed, but will leave it open for a bit so folks can catch up.
--
Lance Ball 12:27 PM
@dug in the JS SDK, we have an issue open to discuss using GPG signed commits vs. --signoff . But I took at the commit logs for all of the other repos in the cloudevents org and it seems they all require --signoff commits. Is this a CNCF requirement or is it just convention... or something else?
1 reply
Today at 12:27 PMView thread
dug 12:28 PM
let me check on broad the requirement is... but DCO is the one we use
12:28
and --signoff is basically DCO
Lance Ball 12:28 PM
yeah
dug 12:31 PM
I don't think I've been involved in any project that requires GPG since I've never done that before 🙂
Lance Ball 12:34 PM
In GH repository branch protection settings you can check a box to require it. As a committer, once you configure it in git, it just happens - all commits are signed and you get the green Verified box for your commits in the commit log on GitHub.
dug 12:37 PM
is this really a problem for our SDKs? or is this more just a preventative thing? I would be nervous about raising the bar for a new committer - people already have trouble with git as it is. I would probably feel differently if k8s, kn, docker.... used GPG but, as I said, I've never seen the requirement
12:40
Another question... as I understand it, GPG is just about auth not about DCO, correct?
Lance Ball 12:41 PM
I think it came more from the fact that --signoff was a problem and I didn't want to suggest that we eliminate that without an alternative
12:42
definitely GPG is about auth and not DCO
dug 12:42 PM
why is --signoff a problem? Don't we need that if DCO is our CLA-thingy?
12:42
if anything I would think people who like GPG should be suggesting both, not just GPG
Lance Ball 12:42 PM
It's not a huge problem once you get used to it. But the first couple of PRs most people submit don't have signoff commits and have to fix it
dug 12:43 PM
yup - I can see that. But we need some kind of DCO/CLA process so it kind of feels like there are two threads being mixed up here
Lance Ball 12:43 PM
I'm fine not making this change. Really wanted to understand if the DCO requirement was coming from CNCF and if so, we'll probably just close this issue
12:43
(but I'm going to copy/paste this discussion to the issue)
dug 12:46 PM
so, I just checked and I'm told that the CNCF requires some kind of process - each project can choose DCO vs CLA vs ... but "no process" is not a valid choice. So, GPG vs --signoff are indeed separate topics
Lance Ball 12:46 PM
Understood - thanks for the clarification. I'll note all of this in the issue.
from sdk-javascript.
I agree with that 👍
from sdk-javascript.
Yes please. I use GPG and have not seen any problems. It has been frustrating seeing commits fail for this project due to this requirement.
from sdk-javascript.
Closing this issue since it seems at best we could add GPG signed commits as a requirement and I'm not sure I want to do that.
from sdk-javascript.
Related Issues (20)
- Unnecessary polyfill for http and https required HOT 3
- Harmonize validation of CloudEvents HOT 9
- Avoid jest#13535 and planttheidea/fast-equals#91
- [security] Potential XSS in httpTransport() HOT 3
- Does not work in browsers as of 5.3.1 HOT 1
- Add the engines property to the package.json HOT 1
- Add Tests for the Browser version HOT 2
- No .d.ts files available for browser bundle HOT 1
- Add Test Runner for Node 18 LTS HOT 1
- Can't resolve 'http' error when using on React app HOT 11
- Vulnerability of util version 0.12.5 HOT 2
- Invalid default data for parsing in binary mode HOT 7
- Getting error when installing on node 20.0.0
- Compatible with Node 20.x HOT 1
- Add support for request timeout in HTTP transport HOT 2
- HTTP headers name case for extensions HOT 3
- Unable to retrieve data from the HTTP request HOT 5
- Consider removing or breaking out http/request helpers HOT 3
- Support for AVRO event format HOT 2
- Support for Protobuf event format HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from sdk-javascript.