Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Relax the signing requirements for the dotnetfoundation owner user #13792

Open
wants to merge 3 commits into
base: dev
Choose a base branch
from

Conversation

glennawatson
Copy link

@glennawatson glennawatson commented Sep 18, 2024

This has been discussed with @JonDouglas who recommended making this proposal.

We went through our internal processes as recommended by @JonDouglas, including discussing in the Project committee and also the board level.

We want to make a formal request to relax the dotnetfoundation user author signing requirements to be closer to the normal nuget.org owner but only requiring a root trusted authority author signature for the package.

Fixes NuGet/NuGetGallery#10187

@glennawatson glennawatson requested a review from a team as a code owner September 18, 2024 12:49
@dotnet-policy-service dotnet-policy-service bot added the Community PRs (and linked Issues) created by someone not in the NuGet team label Sep 18, 2024
@JonDouglas JonDouglas requested review from a team September 30, 2024 21:31
@glennawatson
Copy link
Author

I @glennawatson board member of the .NET foundation was involved in a board meeting on the 18th September 2024 at 00:00 UTC where we discussed and agreed to have packages owned by the DNF owner only require valid signing certificate with a valid root trusted authority.

@Perksey
Copy link

Perksey commented Oct 1, 2024

I @Perksey can confirm through correspondence with .NET Foundation board members and personnel that the purpose and contents of this proposal to relinquish exclusive control over package signing authorities (pursuant to the policies within this proposal) to project maintainers is understood, discussed, and agreed through usual .NET Foundation communication processes with affected .NET Foundation projects, including my own project Silk.NET. I acknowledge that this shall grant me as a package owner, along with other package owners including the dotnetfoundation where applicable, the permission to add certificates signed by a trusted root certification authority as defined in this proposal and that this shall be an ongoing requirement, including in the event the .NET Foundation is no longer associated with the project. This attestation is as a result of an independent evaluation of the proposal as a .NET Foundation project maintainer as requested by @glennawatson.

@1kevgriff
Copy link

I @1kevgriff President of the .NET foundation was involved in a board meeting on the 18th September 2024 at 00:00 UTC where we discussed and agreed to have packages owned by the DNF owner only require valid signing certificate with a valid root trusted authority.

@mitchelsellers
Copy link

I @mitchelsellers Vice-President of the .NET foundation was involved in a board meeting on the 18th September 2024 at 00:00 UTC where we discussed and agreed to have packages owned by the DNF owner only require valid signing certificate with a valid root trusted authority.

@ChrisPulman
Copy link

ChrisPulman commented Oct 1, 2024

To Whom It May Concern,

I @ChrisPulman am writing to formally attest that through my role as a maintainer of the .NET Foundation project, ReactiveUI. And as a dedicated member of the ReactiveUI team, I have been actively involved in the development, maintenance, and enhancement of this advanced, composable, and functional reactive model-view-viewmodel (MVVM) framework for all .NET platforms.

Throughout my tenure, I have contributed to various aspects of the project, including but not limited to:

Implementing new features and improvements to enhance the framework’s functionality and performance.
Collaborating with other maintainers and contributors to review and merge pull requests, ensuring high-quality code standards.
Providing support and guidance to the community through forums, GitHub issues, and other communication channels.
Writing and updating documentation to help users understand and effectively utilize ReactiveUI.
My commitment to the ReactiveUI project is driven by a passion for functional reactive programming and a desire to empower developers to build robust, testable, and maintainable applications. I am proud to be part of a project that significantly contributes to the .NET ecosystem and helps developers create better software.

In order to continue these works we require the ability for Nuget to use certificates only requiring a root trusted authority author signature for the packages, thereby relaxing the dotnetfoundation user author signing requirements.

Sincerely,

@ChrisPulman

@JonDouglas
Copy link
Contributor

Thank you all so much. Let me get this in the team's review queue now.

Would anyone like to attend? Otherwise, we can just go do the work.

Copy link
Contributor

@JonDouglas JonDouglas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM and various members attested to this change to drive it forward.

@JonDouglas
Copy link
Contributor

JonDouglas commented Oct 4, 2024

We met earlier today and there’s no major concerns here. I do however want to inform you on some limitations.

We can relax the signing requirements, but we do not have the granular control such as keeping the signing requirement AND allow owners to provide whatever author signing certificate they want.

We would have to disable the signing requirement and the DNF will have to enforce the requirement to get the desired experience.

Is that okay?

@JonDouglas
Copy link
Contributor

Filed this issue to best write down the discussed requirements for the desired long-term solution:

NuGet/NuGetGallery#10202

This PR has been automatically marked as stale because it has no activity for 30 days. It will be closed if no further activity occurs within another 330 days of this comment. If it is closed, you may reopen it anytime when you're ready again, as long as you don't delete the branch.

@dotnet-policy-service dotnet-policy-service bot removed the Status:No recent activity No recent activity. label Nov 9, 2024
@Perksey
Copy link

Perksey commented Nov 9, 2024

~yes~ activity ~yes~

This PR has been automatically marked as stale because it has no activity for 30 days. It will be closed if no further activity occurs within another 330 days of this comment. If it is closed, you may reopen it anytime when you're ready again, as long as you don't delete the branch.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Community PRs (and linked Issues) created by someone not in the NuGet team Status:No recent activity No recent activity.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[Feature]: Relax the requirements for the dotnetfoundation user
6 participants