Gentoo Archives: gentoo-project

From: "Robin H. Johnson" <robbat2@g.o>
To: gentoo-dev@l.g.o
Cc: gentoo-project@l.g.o
Subject: [gentoo-project] Gentoo's gitolite hooks: increasing security & increased functionality awareness
Date: Sun, 01 May 2016 01:18:59
1 Hi all,
3 The gitolite hooks for GPG-signed pushes have been very successful since
4 we launched them with the Gentoo repo, so I'd like to roll them out to
5 more repos.
7 Additionally, in an effort to simplify configuration, we're going to
8 default to a number of hooks being enabled (but they will do nothing
9 without a little bit of extra config), and some of these may be useful
10 to developers, so I'm making them more widely known.
12 Initial repos & repo namespaces for improved security:
13 ------------------------------------------------------
14 data/* (all public, includes GLSA & news repos)
15 foundation/* (all private)
16 infra/* (mostly private)
17 pr-private
19 Default hooks:
20 --------------
21 require-signed-push: required all Git pushes to be GPG-signed. Will be
22 incrementally enabled on repos where all committers are Gentoo
23 developers.
25 save-push-signatures: record Git signed pushes in the repository
26 (downloaded automatically if you add 'fetch =
27 +refs/push-certs:refs/push-certs/origin' to your gitconfig remote for
28 repo/gentoo).
30 gentoo-commits: Send email to the gentoo-commits mailing list; Enabled
31 for public repos only (can also email other destinations).
33 Default hooks w/ config required:
34 ---------------------------------
35 gentoo-mirror - mirrors a repo to Github or any other external location.
37 notify-webhook - Sends Github-style PushEvent [1] Webhook messages.
38 Source available at [2]. Please file a bug if you want a Webhook URL
39 added to a repo that you own.
41 Further proposed hooks:
42 -----------------------
43 I'd like to consider enabling require-signed-commit on all of the same
44 repos where require-signed-push is used, in the same vein that GitHub
45 added support for a 'Verified' flag on commits. This hook so far has
46 only ever been enabled on repo/gentoo, and only verifies standalone
47 commits & the left-hand side of merges (eg the one onto master). Further
48 improvements first might include optionally requiring ALL commits to be
49 signed (not for use on repo/gentoo, but valuable for other repos).
51 [1]
52 [2] Upstream code
53 [3]
55 --
56 Robin Hugh Johnson
57 Gentoo Linux: Developer, Infrastructure Lead, Foundation Trustee
58 E-Mail : robbat2@g.o
59 GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85


File name MIME type
signature.asc application/pgp-signature