-
Notifications
You must be signed in to change notification settings - Fork 253
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Relax the signing requirements for the dotnetfoundation owner user #13792
base: dev
Are you sure you want to change the base?
Conversation
I @glennawatson board member of the .NET foundation was involved in a board meeting on the 18th September 2024 at 00:00 UTC where we discussed and agreed to have packages owned by the DNF owner only require valid signing certificate with a valid root trusted authority. |
I @Perksey can confirm through correspondence with .NET Foundation board members and personnel that the purpose and contents of this proposal to relinquish exclusive control over package signing authorities (pursuant to the policies within this proposal) to project maintainers is understood, discussed, and agreed through usual .NET Foundation communication processes with affected .NET Foundation projects, including my own project Silk.NET. I acknowledge that this shall grant me as a package owner, along with other package owners including the dotnetfoundation where applicable, the permission to add certificates signed by a trusted root certification authority as defined in this proposal and that this shall be an ongoing requirement, including in the event the .NET Foundation is no longer associated with the project. This attestation is as a result of an independent evaluation of the proposal as a .NET Foundation project maintainer as requested by @glennawatson. |
I @1kevgriff President of the .NET foundation was involved in a board meeting on the 18th September 2024 at 00:00 UTC where we discussed and agreed to have packages owned by the DNF owner only require valid signing certificate with a valid root trusted authority. |
I @mitchelsellers Vice-President of the .NET foundation was involved in a board meeting on the 18th September 2024 at 00:00 UTC where we discussed and agreed to have packages owned by the DNF owner only require valid signing certificate with a valid root trusted authority. |
To Whom It May Concern, I @ChrisPulman am writing to formally attest that through my role as a maintainer of the .NET Foundation project, ReactiveUI. And as a dedicated member of the ReactiveUI team, I have been actively involved in the development, maintenance, and enhancement of this advanced, composable, and functional reactive model-view-viewmodel (MVVM) framework for all .NET platforms. Throughout my tenure, I have contributed to various aspects of the project, including but not limited to: Implementing new features and improvements to enhance the framework’s functionality and performance. In order to continue these works we require the ability for Nuget to use certificates only requiring a root trusted authority author signature for the packages, thereby relaxing the dotnetfoundation user author signing requirements. Sincerely, |
Thank you all so much. Let me get this in the team's review queue now. Would anyone like to attend? Otherwise, we can just go do the work. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM and various members attested to this change to drive it forward.
We met earlier today and there’s no major concerns here. I do however want to inform you on some limitations. We can relax the signing requirements, but we do not have the granular control such as keeping the signing requirement AND allow owners to provide whatever author signing certificate they want. We would have to disable the signing requirement and the DNF will have to enforce the requirement to get the desired experience. Is that okay? |
Filed this issue to best write down the discussed requirements for the desired long-term solution: |
This PR has been automatically marked as stale because it has no activity for 30 days. It will be closed if no further activity occurs within another 330 days of this comment. If it is closed, you may reopen it anytime when you're ready again, as long as you don't delete the branch. |
~yes~ activity ~yes~ |
This PR has been automatically marked as stale because it has no activity for 30 days. It will be closed if no further activity occurs within another 330 days of this comment. If it is closed, you may reopen it anytime when you're ready again, as long as you don't delete the branch. |
This has been discussed with @JonDouglas who recommended making this proposal.
We went through our internal processes as recommended by @JonDouglas, including discussing in the Project committee and also the board level.
We want to make a formal request to relax the dotnetfoundation user author signing requirements to be closer to the normal nuget.org owner but only requiring a root trusted authority author signature for the package.
Fixes NuGet/NuGetGallery#10187