* [gentoo-project] Gentoo's gitolite hooks: increasing security & increased functionality awareness
@ 2016-05-01 1:18 99% Robin H. Johnson
0 siblings, 0 replies; 1+ results
From: Robin H. Johnson @ 2016-05-01 1:18 UTC (permalink / raw
To: gentoo-dev; +Cc: gentoo-project
[-- Attachment #1: Type: text/plain, Size: 2432 bytes --]
Hi all,
The gitolite hooks for GPG-signed pushes have been very successful since
we launched them with the Gentoo repo, so I'd like to roll them out to
more repos.
Additionally, in an effort to simplify configuration, we're going to
default to a number of hooks being enabled (but they will do nothing
without a little bit of extra config), and some of these may be useful
to developers, so I'm making them more widely known.
Initial repos & repo namespaces for improved security:
------------------------------------------------------
data/* (all public, includes GLSA & news repos)
foundation/* (all private)
infra/* (mostly private)
pr-private
Default hooks:
--------------
require-signed-push: required all Git pushes to be GPG-signed. Will be
incrementally enabled on repos where all committers are Gentoo
developers.
save-push-signatures: record Git signed pushes in the repository
(downloaded automatically if you add 'fetch =
+refs/push-certs:refs/push-certs/origin' to your gitconfig remote for
repo/gentoo).
gentoo-commits: Send email to the gentoo-commits mailing list; Enabled
for public repos only (can also email other destinations).
Default hooks w/ config required:
---------------------------------
gentoo-mirror - mirrors a repo to Github or any other external location.
notify-webhook - Sends Github-style PushEvent [1] Webhook messages.
Source available at [2]. Please file a bug if you want a Webhook URL
added to a repo that you own.
Further proposed hooks:
-----------------------
I'd like to consider enabling require-signed-commit on all of the same
repos where require-signed-push is used, in the same vein that GitHub
added support for a 'Verified' flag on commits. This hook so far has
only ever been enabled on repo/gentoo, and only verifies standalone
commits & the left-hand side of merges (eg the one onto master). Further
improvements first might include optionally requiring ALL commits to be
signed (not for use on repo/gentoo, but valuable for other repos).
[1] https://developer.github.com/v3/activity/events/types/#pushevent
[2] Upstream code https://github.com/metajack/notify-webhook
[3] https://github.com/blog/2144-gpg-signature-verification
--
Robin Hugh Johnson
Gentoo Linux: Developer, Infrastructure Lead, Foundation Trustee
E-Mail : robbat2@gentoo.org
GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 445 bytes --]
^ permalink raw reply [relevance 99%]
Results 1-1 of 1 | reverse | options above
-- pct% links below jump to the message on this page, permalinks otherwise --
2016-05-01 1:18 99% [gentoo-project] Gentoo's gitolite hooks: increasing security & increased functionality awareness Robin H. Johnson
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox