Meeting time 2025-07-15T01:00:00Z
Agenda Items:
- Determine whether to continue making GPG Signing a requirement for contributions.
- Context: All repos in the open-rmf org currently require GPG signatures to verify the identity of the contributor. This is not something that GitHub users typcially have set up, and can lead to considerable friction for first-time contributors.
- None of the other OSRA projects currently require GPG signing, nor do they have any intention of adding this as a requirement.
- The level of security this requirement provides is dubious. Anyone can get a “verified” GPG signature by creating a GitHub account and setting up the keys. It is only relevant when used by contributors who are personally known to the reviewers, such as PMC members or regular contributors.
- First-time users can easily get confused and frustrated while trying to comply with this requirement. If they have already done considerable work on their contribution then they will need to squash their commits in order to comply. This requires additional knowledge of git that creates a higher barrier to entry.
- Possible solutions:
- Continue to require GPG signatures but reduce barrier to entry by enabling a bot that can guide users through the setup and fixing processes.
- Remove the hard requirement but encourage PMC members and known committers to continue using the feature so we can more easily flag suspicious activity.
- Remove the requirement and the expectation entirely.
- Action Items:
- Discuss problem and the trade-offs of different possible solutions.
- Hold a vote to decide whether we will keep the GPG signing.
- Context: All repos in the open-rmf org currently require GPG signatures to verify the identity of the contributor. This is not something that GitHub users typcially have set up, and can lead to considerable friction for first-time contributors.
- Review the project board.