| 1 |
Hi all, |
| 2 |
|
| 3 |
The gitolite hooks for GPG-signed pushes have been very successful since |
| 4 |
we launched them with the Gentoo repo, so I'd like to roll them out to |
| 5 |
more repos. |
| 6 |
|
| 7 |
Additionally, in an effort to simplify configuration, we're going to |
| 8 |
default to a number of hooks being enabled (but they will do nothing |
| 9 |
without a little bit of extra config), and some of these may be useful |
| 10 |
to developers, so I'm making them more widely known. |
| 11 |
|
| 12 |
Initial repos & repo namespaces for improved security: |
| 13 |
------------------------------------------------------ |
| 14 |
data/* (all public, includes GLSA & news repos) |
| 15 |
foundation/* (all private) |
| 16 |
infra/* (mostly private) |
| 17 |
pr-private |
| 18 |
|
| 19 |
Default hooks: |
| 20 |
-------------- |
| 21 |
require-signed-push: required all Git pushes to be GPG-signed. Will be |
| 22 |
incrementally enabled on repos where all committers are Gentoo |
| 23 |
developers. |
| 24 |
|
| 25 |
save-push-signatures: record Git signed pushes in the repository |
| 26 |
(downloaded automatically if you add 'fetch = |
| 27 |
+refs/push-certs:refs/push-certs/origin' to your gitconfig remote for |
| 28 |
repo/gentoo). |
| 29 |
|
| 30 |
gentoo-commits: Send email to the gentoo-commits mailing list; Enabled |
| 31 |
for public repos only (can also email other destinations). |
| 32 |
|
| 33 |
Default hooks w/ config required: |
| 34 |
--------------------------------- |
| 35 |
gentoo-mirror - mirrors a repo to Github or any other external location. |
| 36 |
|
| 37 |
notify-webhook - Sends Github-style PushEvent [1] Webhook messages. |
| 38 |
Source available at [2]. Please file a bug if you want a Webhook URL |
| 39 |
added to a repo that you own. |
| 40 |
|
| 41 |
Further proposed hooks: |
| 42 |
----------------------- |
| 43 |
I'd like to consider enabling require-signed-commit on all of the same |
| 44 |
repos where require-signed-push is used, in the same vein that GitHub |
| 45 |
added support for a 'Verified' flag on commits. This hook so far has |
| 46 |
only ever been enabled on repo/gentoo, and only verifies standalone |
| 47 |
commits & the left-hand side of merges (eg the one onto master). Further |
| 48 |
improvements first might include optionally requiring ALL commits to be |
| 49 |
signed (not for use on repo/gentoo, but valuable for other repos). |
| 50 |
|
| 51 |
[1] https://developer.github.com/v3/activity/events/types/#pushevent |
| 52 |
[2] Upstream code https://github.com/metajack/notify-webhook |
| 53 |
[3] https://github.com/blog/2144-gpg-signature-verification |
| 54 |
|
| 55 |
-- |
| 56 |
Robin Hugh Johnson |
| 57 |
Gentoo Linux: Developer, Infrastructure Lead, Foundation Trustee |
| 58 |
E-Mail : robbat2@g.o |
| 59 |
GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85 |
Archives