/qubes-issues

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Provide a feedback in pull requests if code signature is missing #2517

Closed
marmarek opened this Issue Dec 12, 2016 · 5 comments

Comments

Assignees

@marmarek marmarek

Labels
Projects
None yet
Milestone
No milestone
2 participants
@marmarek @jpouellet
@marmarek
Member

marmarek commented Dec 12, 2016

Ease enforcing a policy of requiring all the contributions to be signed.
This should be automatically mark not signed pull request as failed (but do not close them automatically, as the author may push missing tag later, or even force-push signed commits).

@marmarek marmarek added enhancement P: major labels Dec 12, 2016

@marmarek marmarek self-assigned this Dec 12, 2016

@jpouellet

This comment has been minimized.

Show comment
Hide comment
@jpouellet

jpouellet Dec 13, 2016

Contributor

What is the story with this policy: https://www.qubes-os.org/doc/license/#note-on-rights-to-double-licensing-of-the-qubes-code ? (requiring signed-off-by, or in some way formally delegating a superset of GPL rights).

It is clearly not enforced in practice, and AFAICT it does not appear to ever have been, but it may become more relevant in light of Qubes' commercialization plans. Perhaps some sort of CLA should be formalized?

Personally I don't care what ITL (or whoever) does with my contributions, I usually release all my things under a BSD license anyway. I'm certainly deriving more benefit from your work than you are from mine regardless :)
Contributor

jpouellet commented Dec 13, 2016

What is the story with this policy: https://www.qubes-os.org/doc/license/#note-on-rights-to-double-licensing-of-the-qubes-code ? (requiring signed-off-by, or in some way formally delegating a superset of GPL rights).

It is clearly not enforced in practice, and AFAICT it does not appear to ever have been, but it may become more relevant in light of Qubes' commercialization plans. Perhaps some sort of CLA should be formalized?

Personally I don't care what ITL (or whoever) does with my contributions, I usually release all my things under a BSD license anyway. I'm certainly deriving more benefit from your work than you are from mine regardless :)
@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Dec 13, 2016

Member
Member

marmarek commented Dec 13, 2016

marmarek added a commit to marmarek/signature-checker that referenced this issue Dec 15, 2016

@marmarek
Initial version - check for commit or tag signature 
This just check the signature, not report it anywhere yet.

QubesOS/qubes-issues#2517
Verified
This commit was signed with a verified signature.
@marmarek marmarek Marek Marczykowski-Górecki
GPG key ID: 063938BA42CFA724 Learn about signing commits
b962a32

@marmarek marmarek closed this in marmarek/signature-checker@846b8fc Dec 15, 2016

@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Dec 15, 2016

Member

@jpouellet could you upload your key to a keyserver? The script currently reject your signatures because of this. QubesOS/qubes-manager#17
Member

marmarek commented Dec 15, 2016

@jpouellet could you upload your key to a keyserver? The script currently reject your signatures because of this. QubesOS/qubes-manager#17
@jpouellet

This comment has been minimized.

Show comment
Hide comment
@jpouellet

jpouellet Dec 16, 2016

Contributor

@jpouellet could you upload your key to a keyserver?

Done, although I'd been meaning to replace it with a longer-term higher-security key first.

The script currently reject your signatures because of this.

To which script are you referring? qubes-builder/scripts/verify-git-tag? I do not see anywhere it imports from keyservers automatically...

FWIW, my key was previously here: QubesOS/qubes-installer-qubes-os#8 (comment) (one of my first PRs to Qubes) and I intended have already replaced it by now.
Contributor

jpouellet commented Dec 16, 2016
edited
Edited 1 time
  • @jpouellet jpouellet edited Dec 16, 2016 (most recent)

@jpouellet could you upload your key to a keyserver?

Done, although I'd been meaning to replace it with a longer-term higher-security key first.

The script currently reject your signatures because of this.

To which script are you referring? qubes-builder/scripts/verify-git-tag? I do not see anywhere it imports from keyservers automatically...

FWIW, my key was previously here: QubesOS/qubes-installer-qubes-os#8 (comment) (one of my first PRs to Qubes) and I intended have already replaced it by now.
@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Dec 16, 2016

Member

To which script are you referring? qubes-builder/scripts/verify-git-tag? I do not see anywhere it imports from keyservers automatically...

No, the one in commit closing this issue.
Member

marmarek commented Dec 16, 2016

To which script are you referring? qubes-builder/scripts/verify-git-tag? I do not see anywhere it imports from keyservers automatically...

No, the one in commit closing this issue.

marmarek added a commit to marmarek/signature-checker that referenced this issue Dec 16, 2016

@marmarek
Distinguish between no signature and unverified signature 
QubesOS/qubes-issues#2517
Verified
This commit was signed with a verified signature.
@marmarek marmarek Marek Marczykowski-Górecki
GPG key ID: 063938BA42CFA724 Learn about signing commits
b785a2d

marmarek added a commit to marmarek/signature-checker that referenced this issue Dec 16, 2016

@marmarek
Add Github webhook integration 
QubesOS/qubes-issues#2517
Verified
This commit was signed with a verified signature.
@marmarek marmarek Marek Marczykowski-Górecki
GPG key ID: 063938BA42CFA724 Learn about signing commits
2ce0fee
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment