1 |
Hi all, |
2 |
|
3 |
The gitolite hooks for GPG-signed pushes have been very successful since |
4 |
we launched them with the Gentoo repo, so I'd like to roll them out to |
5 |
more repos. |
6 |
|
7 |
Additionally, in an effort to simplify configuration, we're going to |
8 |
default to a number of hooks being enabled (but they will do nothing |
9 |
without a little bit of extra config), and some of these may be useful |
10 |
to developers, so I'm making them more widely known. |
11 |
|
12 |
Initial repos & repo namespaces for improved security: |
13 |
------------------------------------------------------ |
14 |
data/* (all public, includes GLSA & news repos) |
15 |
foundation/* (all private) |
16 |
infra/* (mostly private) |
17 |
pr-private |
18 |
|
19 |
Default hooks: |
20 |
-------------- |
21 |
require-signed-push: required all Git pushes to be GPG-signed. Will be |
22 |
incrementally enabled on repos where all committers are Gentoo |
23 |
developers. |
24 |
|
25 |
save-push-signatures: record Git signed pushes in the repository |
26 |
(downloaded automatically if you add 'fetch = |
27 |
+refs/push-certs:refs/push-certs/origin' to your gitconfig remote for |
28 |
repo/gentoo). |
29 |
|
30 |
gentoo-commits: Send email to the gentoo-commits mailing list; Enabled |
31 |
for public repos only (can also email other destinations). |
32 |
|
33 |
Default hooks w/ config required: |
34 |
--------------------------------- |
35 |
gentoo-mirror - mirrors a repo to Github or any other external location. |
36 |
|
37 |
notify-webhook - Sends Github-style PushEvent [1] Webhook messages. |
38 |
Source available at [2]. Please file a bug if you want a Webhook URL |
39 |
added to a repo that you own. |
40 |
|
41 |
Further proposed hooks: |
42 |
----------------------- |
43 |
I'd like to consider enabling require-signed-commit on all of the same |
44 |
repos where require-signed-push is used, in the same vein that GitHub |
45 |
added support for a 'Verified' flag on commits. This hook so far has |
46 |
only ever been enabled on repo/gentoo, and only verifies standalone |
47 |
commits & the left-hand side of merges (eg the one onto master). Further |
48 |
improvements first might include optionally requiring ALL commits to be |
49 |
signed (not for use on repo/gentoo, but valuable for other repos). |
50 |
|
51 |
[1] https://developer.github.com/v3/activity/events/types/#pushevent |
52 |
[2] Upstream code https://github.com/metajack/notify-webhook |
53 |
[3] https://github.com/blog/2144-gpg-signature-verification |
54 |
|
55 |
-- |
56 |
Robin Hugh Johnson |
57 |
Gentoo Linux: Developer, Infrastructure Lead, Foundation Trustee |
58 |
E-Mail : robbat2@g.o |
59 |
GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85 |