Changeset View
Standalone View
documentation/content/en/articles/committers-guide/_index.adoc
Show First 20 Lines • Show All 2,104 Lines • ▼ Show 20 Lines | |||||
remote: Resolving deltas: 100% (1/1), completed with 1 local object. | remote: Resolving deltas: 100% (1/1), completed with 1 local object. | ||||
To github.com:gvnn3/freebsd-src.git | To github.com:gvnn3/freebsd-src.git | ||||
9e5243d7b659..cf6aeb8d7dda gnn-feature -> gnn-feature | 9e5243d7b659..cf6aeb8d7dda gnn-feature -> gnn-feature | ||||
.... | .... | ||||
At this point your work is now in your branch on +GitHub+ and you can | At this point your work is now in your branch on +GitHub+ and you can | ||||
share the link with other collaborators. | share the link with other collaborators. | ||||
[[git-gpg-signing]] | |||||
=== Signing the commits, tags, and pushes, with GnuPG | |||||
Git knows how to sign commits, tags, and pushes. | |||||
When you sign a Git commit or a tag, you can prove that the code you submitted came from you and wasn't altered while you were transferring it. | |||||
You also can prove that you submitted the code and not someone else. | |||||
A more in-depth documentation on signing commits and tags can be found in the https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work[Git Tools - Signing Your Work] chapter of the Git's book. | |||||
The rationale behind signing pushes can be found in the https://github.com/git/git/commit/a85b377d0419a9dfaca8af2320cc33b051cbed04[commit that introduced the feature]. | |||||
The best way is to simply tell Git you always want to sign commits, tags, and pushes. | |||||
You can do this by setting a few configuration variables: | |||||
[source,shell] | |||||
.... | |||||
% git config --add user.signingKey=LONG-KEY-ID | |||||
imp: For the committer's guide, I'd omit this entire paragraph. It's relevance is low for a how-to… | |||||
Done Inline ActionsThat whole paragraph is verbatim from the commit introducing signed pushes. Security is not my thing, and while I understand the concepts, I could not figure out what to write and how to briefly explain signed pushes, so I simply copied it. mat: That whole paragraph is verbatim from the commit introducing signed pushes. Security is not my… | |||||
Done Inline ActionsThe paragraph is out of place and not that useful in this context. It's confusing and doesn't communicate the differences in signing commits, tags etc. That entire discussion is available elsewhere and we should just include something like To understand the scope of different ways to sign commits, tags, etc, please see <link here> I can supply the link if need be. imp: The paragraph is out of place and not that useful in this context. It's confusing and doesn't… | |||||
% git config --add commit.gpgSign=true | |||||
% git config --add tag.gpgSign=true | |||||
% git config --add push.gpgSign=if-asked | |||||
.... | |||||
// push.gpgSign should probably be set to `yes` once we enable it, or be set with --global, so that it is enabled for all repositories. | |||||
[NOTE] | |||||
====== | |||||
To avoid possible collisions, make sure you give a long key id to Git. | |||||
You can get the long id with: `gpg --list-secret-keys --keyid-format LONG`. | |||||
====== | |||||
[TIP] | |||||
====== | |||||
Done Inline ActionsPerhaps make the above code specific to FreeBSD, so that it doens't clobber other project configurations in case one uses a different ID / key there. rene: Perhaps make the above code specific to FreeBSD, so that it doens't clobber other project… | |||||
Done Inline ActionsWell, yeah, I wondered about adding or not --global. mat: Well, yeah, I wondered about adding or not `--global`. | |||||
To use specific subkeys, and not have GnuPG to resolve the subkey to a primary key, attach `!` to the key. | |||||
For example, to encrypt for the subkey `DEADBEEF`, use `DEADBEEF!`. | |||||
====== | |||||
==== Verifying signatures | |||||
Commit signatures can be verified by running either `git verify-commit <commit hash>`, or `git log --show-signature`. | |||||
Tag signatures can be verifed with `git verity-tag <tag name>`, or `git tag -v <tag name>`. | |||||
//// | |||||
Commented out for now until we decide what to do. | |||||
Git pushes are a bit different, they live in a special ref in the repository. | |||||
TODO: write how to verify them | |||||
//// | |||||
[[vcs-history]] | [[vcs-history]] | ||||
== Version Control History | == Version Control History | ||||
The project has moved to <<git-primer,git>>. | The project has moved to <<git-primer,git>>. | ||||
The FreeBSD source repository switched from CVS to Subversion on May 31st, 2008. | The FreeBSD source repository switched from CVS to Subversion on May 31st, 2008. | ||||
The first real SVN commit is __r179447__. | The first real SVN commit is __r179447__. | ||||
▲ Show 20 Lines • Show All 1,639 Lines • Show Last 20 Lines |
For the committer's guide, I'd omit this entire paragraph. It's relevance is low for a how-to section, and how we do trust will be something we need to work out in the coming weeks and/or months. I think this paragraph is awkwardly written and a bit unclear. I think those things that it will create a misperception we'll need to clean up later. Ideally, we'd instead point to a trusted source for a more detailed explanation about git's signing model.