git.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* Using signed tag in pull requests
@ 2012-01-17 22:53 Junio C Hamano
  2012-01-17 23:29 ` [PATCH] pulling signed tag: add howto document Junio C Hamano
  2012-01-18  1:07 ` Using signed tag in pull requests Andrew Ardill
  0 siblings, 2 replies; 10+ messages in thread
From: Junio C Hamano @ 2012-01-17 22:53 UTC (permalink / raw)
  To: git; +Cc: linux-kernel

This document will appear in Documentation/howto of Git release v1.7.9; I
am sending it out for an early review.

Thanks.

-- >8 --
Using signed tag in pull requests
=================================

A typical distributed workflow using Git is for a contributor to fork a
project, build on it, publish the result to her public repository, and ask
the "upstream" person (often the owner of the project where she forked
from) to pull from her public repository. Requesting such a "pull" is made
easy by the `git request-pull` command.

Earlier, a typical pull request may have started like this:

------------
 The following changes since commit 406da78032179...:

   Froboz 3.2 (2011-09-30 14:20:57 -0700)

 are available in the git repository at:

   example.com:/git/froboz.git for-xyzzy
------------

followed by a shortlog of the changes and a diffstat.

The request was for a branch name (e.g. `for-xyzzy`) in the public
repository of the contributor, and even though it stated where the
contributor forked her work from, the message did not say anything about
the commit to expect at the tip of the for-xyzzy branch. If the site that
hosts the public repository of the contributor cannot be fully trusted, it
was unnecessarily hard to make sure what was pulled by the integrator was
genuinely what the contributor had produced for the project. Also there
was no easy way for third-party auditors to later verify the resulting
history.

Starting from Git release v1.7.9, a contributor can add a signed tag to
the commit at the tip of the history and ask the integrator to pull that
signed tag. When the integrator runs `git pull`, the signed tag is
automatically verified to assure that the history is not tampered with.
In addition, the resulting merge commit records the content of the signed
tag, so that other people can verify that the branch merged by the
contributor was signed by the contributor, without fetching the signed tag
used to validate the pull request separately and keeping it in the refs
namespace.

This document describes the workflow between the contributor and the
integrator, using Git v1.7.9 or later.


A contributor or a lieutenant
-----------------------------

After preparing her work to be pulled, the contributor uses `git tag -s`
to create a signed tag [*1*]:

------------
 $ git checkout work
 $ ... "git pull" from sublieutenants, "git commit" your own work ...
 $ git tag -s -m "Completed frotz feature" frotz-for-xyzzy work
------------

and pushes the tag out to her publishing repository [*2*]. There is no
need to push the `work` branch or anything else:

------------
 $ git push example.com:/git/froboz.git/ +frotz-for-xyzzy
------------

Then the contributor prepares a message to request a "pull":

------------
 $ git request-pull v3.2 example.com:/git/froboz.git/ frotz-for-xyzzy >msg.txt
------------

The arguments are:

. the version of the integrator's commit the contributor based her work on;
. the URL of the repository, to which the contributor has pushed what she
  wants to get pulled; and
. the name of the tag the contributor wants to get pulled (earlier, she could
  write only a branch name here).

The resulting msg.txt file begins like so:

------------
 The following changes since commit 406da78032179...:

   Froboz 3.2 (2011-09-30 14:20:57 -0700)

 are available in the git repository at:

   example.com:/git/froboz.git frotz-for-xyzzy

 for you to fetch changes up to 703f05ad5835c...:

   Add tests and documentation for frotz (2011-12-02 10:02:52 -0800)

 -----------------------------------------------
 Completed frotz feature
 -----------------------------------------------
------------

followed by a shortlog of the changes and a diffstat.  Comparing this with
the earlier illustration of the output from the traditional `git request-pull`
command, the reader should notice that:

. The tip commit to expect is shown to the integrator; and
. The signed tag message is shown prominently between the dashed lines
  before the shortlog.

The latter is why the contributor would want to justify why pulling her
work is worthwhile when creating the signed tag.  The contributor then
opens her favorite MUA, reads msg.txt, edits and sends it to her upstream
integrator.


Integrator
----------

After receiving such a pull request message, the integrator fetches and
integrates the tag named in the request, with:

------------
 $ git pull example.com:/git/froboz.git/ frotz-for-xyzzy
------------

This operation will always open an editor to allow the integrator to fine
tune the commit log message when merging a signed tag.  Also, pulling a
signed tag will always create a merge commit even when the integrator does
not have any new commits since the contributor's work forked (i.e. 'fast
forward'), so that the integrator can properly explain what the merge is
about and why it was made.

In the editor, the integrator will see something like this:

------------
 Merge tag 'frotz-for-xyzzy' of example.com:/git/froboz.git/

 Completed frotz feature
 # gpg: Signature made Fri 02 Dec 2011 10:03:01 AM PST using RSA key ID 96AFE6CB
 # gpg: Good signature from "Con Tributor <nitfol@example.com>"
------------

provided if the signature in the signed tag verifies correctly. Notice
that the message recorded in the signed tag "Completed frotz feature"
appears here, and again that is why it is important for the contributor
to explain her work well when creating the signed tag.

As usual, the lines commented with `#` are stripped out. The resulting
commit records the signed tag used for this validation in a hidden field
so that it can later be used by others to audit the history. There is no
need for the integrator to keep a separate copy of the tag in his
repository (i.e. `git tag -l` won't list frotz-for-xyzzy tag in the above
example), and there is no need to publish the tag to his public
repository, either.

After the integrator responds to the pull request and her work becomes
part of the permanent history, the contributor can remove the tag from the
publishing repository, if she chooses, in order to keep the tag namespace
of her public repository clean, with:

------------
 $ git push example.com:/git/froboz.git :frotz-for-xyzzy
------------


Auditors
--------

The `--show-signature` option can be given to `git log` or `git show` and
shows the verification status of the embedded signed tag in merge commits
created when the integrator responded to a pull request of a signed tag.

A typical output from `git show --show-signature` may look like this:

------------
 $ git show --show-signature
 commit 02306ef6a3498a39118aef9df7975bdb50091585
 merged tag 'frotz-for-xyzzy'
 gpg: Signature made Fri 06 Jan 2012 12:41:49 PM PST using RSA key ID 96AFE6CB
 gpg: Good signature from "Con Tributor <nitfol@example.com>"
 Merge: 406da78 703f05a
 Author: Inte Grator <xyzzy@example.com>
 Date:   Tue Jan 17 13:49:41 2012 -0800

     Merge tag 'frotz-for-xyzzy'

     Completed frotz feature

     * tag 'frotz-for-xyzzy' (100 commits)
       Add tests and documentation for frotz
       ...
------------

There is no need to fetch and keep a signed tag like `frotz-for-xyzzy`
that is used for frequent "pull" exchange in the long term just for such
auditing purposes, as the signature is recorded as part of the merge
commit.


Footnotes
---------

*1* This example uses the `-m` option to create a signed tag with just a
single liner message, but this is for illustration purposes only. It is
advisable to compose a well-written explanation of what the topic does to
justify why it is worthwhile for the integrator to pull it, as this
message will eventually become part of the final history after the
integrator responds to the pull request.

*2* The example uses plus at the beginning of `+frotz-for-xyzzy` to allow
forcing the update of a tag, as the same contributor may want to reuse a
signed tag with the same name after the previous pull request has already
been responded to.

^ permalink raw reply	[flat|nested] 10+ messages in thread

* [PATCH] pulling signed tag: add howto document
  2012-01-17 22:53 Using signed tag in pull requests Junio C Hamano
@ 2012-01-17 23:29 ` Junio C Hamano
  2012-01-18 15:15   ` Marc Branchaud
  2012-01-18  1:07 ` Using signed tag in pull requests Andrew Ardill
  1 sibling, 1 reply; 10+ messages in thread
From: Junio C Hamano @ 2012-01-17 23:29 UTC (permalink / raw)
  To: git

This time in a proper patch format...

Signed-off-by: Junio C Hamano <gitster@pobox.com>
---
 * We may want to update Documentation/Makefile in such a way that we
   do not have to manually maintain a subset of howto/ files that need to
   be added to SP_ARTICLES list (i.e. asciidoc formatted). They are all
   marked with "Content-type: text/asciidoc" so a trivial $(shell grep -l) 
   might be all it takes. Hint, hint...

 Documentation/Makefile                             |    5 +-
 .../howto/using-signed-tag-in-pull-request.txt     |  221 ++++++++++++++++++++
 2 files changed, 225 insertions(+), 1 deletions(-)
 create mode 100644 Documentation/howto/using-signed-tag-in-pull-request.txt

diff --git a/Documentation/Makefile b/Documentation/Makefile
index 116f175..d40e211 100644
--- a/Documentation/Makefile
+++ b/Documentation/Makefile
@@ -20,7 +20,10 @@ ARTICLES += everyday
 ARTICLES += git-tools
 ARTICLES += git-bisect-lk2009
 # with their own formatting rules.
-SP_ARTICLES = howto/revert-branch-rebase howto/using-merge-subtree user-manual
+SP_ARTICLES = user-manual
+SP_ARTICLES += howto/revert-branch-rebase
+SP_ARTICLES += howto/using-merge-subtree
+SP_ARTICLES += howto/using-signed-tag-in-pull-request
 API_DOCS = $(patsubst %.txt,%,$(filter-out technical/api-index-skel.txt technical/api-index.txt, $(wildcard technical/api-*.txt)))
 SP_ARTICLES += $(API_DOCS)
 SP_ARTICLES += technical/api-index
diff --git a/Documentation/howto/using-signed-tag-in-pull-request.txt b/Documentation/howto/using-signed-tag-in-pull-request.txt
new file mode 100644
index 0000000..a057f9a
--- /dev/null
+++ b/Documentation/howto/using-signed-tag-in-pull-request.txt
@@ -0,0 +1,221 @@
+From: Junio C Hamano <gitster@pobox.com>
+Date: Tue, 17 Jan 2011 13:00:00 -0800
+Subject: Using signed tag in pull requests
+Abstract: Beginning v1.7.9, a contributor can push a signed tag to her
+ publishing repository and ask her integrator to pull it. This assures the
+ integrator that the pulled history is authentic and allows others to
+ later validate it.
+Content-type: text/asciidoc
+
+Using signed tag in pull requests
+=================================
+
+A typical distributed workflow using Git is for a contributor to fork a
+project, build on it, publish the result to her public repository, and ask
+the "upstream" person (often the owner of the project where she forked
+from) to pull from her public repository. Requesting such a "pull" is made
+easy by the `git request-pull` command.
+
+Earlier, a typical pull request may have started like this:
+
+------------
+ The following changes since commit 406da78032179...:
+
+   Froboz 3.2 (2011-09-30 14:20:57 -0700)
+
+ are available in the git repository at:
+
+   example.com:/git/froboz.git for-xyzzy
+------------
+
+followed by a shortlog of the changes and a diffstat.
+
+The request was for a branch name (e.g. `for-xyzzy`) in the public
+repository of the contributor, and even though it stated where the
+contributor forked her work from, the message did not say anything about
+the commit to expect at the tip of the for-xyzzy branch. If the site that
+hosts the public repository of the contributor cannot be fully trusted, it
+was unnecessarily hard to make sure what was pulled by the integrator was
+genuinely what the contributor had produced for the project. Also there
+was no easy way for third-party auditors to later verify the resulting
+history.
+
+Starting from Git release v1.7.9, a contributor can add a signed tag to
+the commit at the tip of the history and ask the integrator to pull that
+signed tag. When the integrator runs `git pull`, the signed tag is
+automatically verified to assure that the history is not tampered with.
+In addition, the resulting merge commit records the content of the signed
+tag, so that other people can verify that the branch merged by the
+contributor was signed by the contributor, without fetching the signed tag
+used to validate the pull request separately and keeping it in the refs
+namespace.
+
+This document describes the workflow between the contributor and the
+integrator, using Git v1.7.9 or later.
+
+
+A contributor or a lieutenant
+-----------------------------
+
+After preparing her work to be pulled, the contributor uses `git tag -s`
+to create a signed tag [*1*]:
+
+------------
+ $ git checkout work
+ $ ... "git pull" from sublieutenants, "git commit" your own work ...
+ $ git tag -s -m "Completed frotz feature" frotz-for-xyzzy work
+------------
+
+and pushes the tag out to her publishing repository [*2*]. There is no
+need to push the `work` branch or anything else:
+
+------------
+ $ git push example.com:/git/froboz.git/ +frotz-for-xyzzy
+------------
+
+Then the contributor prepares a message to request a "pull":
+
+------------
+ $ git request-pull v3.2 example.com:/git/froboz.git/ frotz-for-xyzzy >msg.txt
+------------
+
+The arguments are:
+
+. the version of the integrator's commit the contributor based her work on;
+. the URL of the repository, to which the contributor has pushed what she
+  wants to get pulled; and
+. the name of the tag the contributor wants to get pulled (earlier, she could
+  write only a branch name here).
+
+The resulting msg.txt file begins like so:
+
+------------
+ The following changes since commit 406da78032179...:
+
+   Froboz 3.2 (2011-09-30 14:20:57 -0700)
+
+ are available in the git repository at:
+
+   example.com:/git/froboz.git frotz-for-xyzzy
+
+ for you to fetch changes up to 703f05ad5835c...:
+
+   Add tests and documentation for frotz (2011-12-02 10:02:52 -0800)
+
+ -----------------------------------------------
+ Completed frotz feature
+ -----------------------------------------------
+------------
+
+followed by a shortlog of the changes and a diffstat.  Comparing this with
+the earlier illustration of the output from the traditional `git request-pull`
+command, the reader should notice that:
+
+. The tip commit to expect is shown to the integrator; and
+. The signed tag message is shown prominently between the dashed lines
+  before the shortlog.
+
+The latter is why the contributor would want to justify why pulling her
+work is worthwhile when creating the signed tag.  The contributor then
+opens her favorite MUA, reads msg.txt, edits and sends it to her upstream
+integrator.
+
+
+Integrator
+----------
+
+After receiving such a pull request message, the integrator fetches and
+integrates the tag named in the request, with:
+
+------------
+ $ git pull example.com:/git/froboz.git/ frotz-for-xyzzy
+------------
+
+This operation will always open an editor to allow the integrator to fine
+tune the commit log message when merging a signed tag.  Also, pulling a
+signed tag will always create a merge commit even when the integrator does
+not have any new commits since the contributor's work forked (i.e. 'fast
+forward'), so that the integrator can properly explain what the merge is
+about and why it was made.
+
+In the editor, the integrator will see something like this:
+
+------------
+ Merge tag 'frotz-for-xyzzy' of example.com:/git/froboz.git/
+
+ Completed frotz feature
+ # gpg: Signature made Fri 02 Dec 2011 10:03:01 AM PST using RSA key ID 96AFE6CB
+ # gpg: Good signature from "Con Tributor <nitfol@example.com>"
+------------
+
+provided if the signature in the signed tag verifies correctly. Notice
+that the message recorded in the signed tag "Completed frotz feature"
+appears here, and again that is why it is important for the contributor
+to explain her work well when creating the signed tag.
+
+As usual, the lines commented with `#` are stripped out. The resulting
+commit records the signed tag used for this validation in a hidden field
+so that it can later be used by others to audit the history. There is no
+need for the integrator to keep a separate copy of the tag in his
+repository (i.e. `git tag -l` won't list frotz-for-xyzzy tag in the above
+example), and there is no need to publish the tag to his public
+repository, either.
+
+After the integrator responds to the pull request and her work becomes
+part of the permanent history, the contributor can remove the tag from the
+publishing repository, if she chooses, in order to keep the tag namespace
+of her public repository clean, with:
+
+------------
+ $ git push example.com:/git/froboz.git :frotz-for-xyzzy
+------------
+
+
+Auditors
+--------
+
+The `--show-signature` option can be given to `git log` or `git show` and
+shows the verification status of the embedded signed tag in merge commits
+created when the integrator responded to a pull request of a signed tag.
+
+A typical output from `git show --show-signature` may look like this:
+
+------------
+ $ git show --show-signature
+ commit 02306ef6a3498a39118aef9df7975bdb50091585
+ merged tag 'frotz-for-xyzzy'
+ gpg: Signature made Fri 06 Jan 2012 12:41:49 PM PST using RSA key ID 96AFE6CB
+ gpg: Good signature from "Con Tributor <nitfol@example.com>"
+ Merge: 406da78 703f05a
+ Author: Inte Grator <xyzzy@example.com>
+ Date:   Tue Jan 17 13:49:41 2012 -0800
+
+     Merge tag 'frotz-for-xyzzy'
+
+     Completed frotz feature
+
+     * tag 'frotz-for-xyzzy' (100 commits)
+       Add tests and documentation for frotz
+       ...
+------------
+
+There is no need to fetch and keep a signed tag like `frotz-for-xyzzy`
+that is used for frequent "pull" exchange in the long term just for such
+auditing purposes, as the signature is recorded as part of the merge
+commit.
+
+
+Footnotes
+---------
+
+*1* This example uses the `-m` option to create a signed tag with just a
+single liner message, but this is for illustration purposes only. It is
+advisable to compose a well-written explanation of what the topic does to
+justify why it is worthwhile for the integrator to pull it, as this
+message will eventually become part of the final history after the
+integrator responds to the pull request.
+
+*2* The example uses plus at the beginning of `+frotz-for-xyzzy` to allow
+forcing the update of a tag, as the same contributor may want to reuse a
+signed tag with the same name after the previous pull request has already
+been responded to.
-- 
1.7.9.rc1.32.g0f516

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: Using signed tag in pull requests
  2012-01-17 22:53 Using signed tag in pull requests Junio C Hamano
  2012-01-17 23:29 ` [PATCH] pulling signed tag: add howto document Junio C Hamano
@ 2012-01-18  1:07 ` Andrew Ardill
  2012-01-18  1:47   ` Junio C Hamano
  1 sibling, 1 reply; 10+ messages in thread
From: Andrew Ardill @ 2012-01-18  1:07 UTC (permalink / raw)
  To: Junio C Hamano; +Cc: git, linux-kernel

Looks pretty good Junio, though one of the lines was a bit confusing:

On 18 January 2012 09:53, Junio C Hamano <gitster@pobox.com> wrote:

> Starting from Git release v1.7.9, a contributor can add a signed tag to
> the commit at the tip of the history and ask the integrator to pull that
> signed tag. When the integrator runs `git pull`, the signed tag is
> automatically verified to assure that the history is not tampered with.
> In addition, the resulting merge commit records the content of the signed
> tag, so that other people can verify that the branch merged by the
> contributor was signed by the contributor, without fetching the signed tag

I think you mean to say 'the branch merged by the integrator was signed
by the contributor'. If you are talking about two separate contributors, or
the same contributor merging one of her own branches, the wording can
likely be improved.

> used to validate the pull request separately and keeping it in the refs
> namespace.

Overall it was easy to understand and makes the whole workflow quite clear.

Regards,
Andrew Ardill

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: Using signed tag in pull requests
  2012-01-18  1:07 ` Using signed tag in pull requests Andrew Ardill
@ 2012-01-18  1:47   ` Junio C Hamano
  2012-01-18  2:34     ` Andrew Ardill
  0 siblings, 1 reply; 10+ messages in thread
From: Junio C Hamano @ 2012-01-18  1:47 UTC (permalink / raw)
  To: Andrew Ardill; +Cc: git, linux-kernel

Andrew Ardill <andrew.ardill@gmail.com> writes:

>> Starting from Git release v1.7.9, a contributor can add a signed tag to
>> the commit at the tip of the history and ask the integrator to pull that
>> signed tag. When the integrator runs `git pull`, the signed tag is
>> automatically verified to assure that the history is not tampered with.
>> In addition, the resulting merge commit records the content of the signed
>> tag, so that other people can verify that the branch merged by the
>> contributor was signed by the contributor, without fetching the signed tag
>
> I think you mean to say 'the branch merged by the integrator was signed
> by the contributor'.

Definitely. I'll update my local copy.

Thanks for spotting this.

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: Using signed tag in pull requests
  2012-01-18  1:47   ` Junio C Hamano
@ 2012-01-18  2:34     ` Andrew Ardill
  0 siblings, 0 replies; 10+ messages in thread
From: Andrew Ardill @ 2012-01-18  2:34 UTC (permalink / raw)
  To: Junio C Hamano; +Cc: git, linux-kernel

On 18 January 2012 12:47, Junio C Hamano <gitster@pobox.com> wrote:
> Andrew Ardill <andrew.ardill@gmail.com> writes:
>
>>> Starting from Git release v1.7.9, a contributor can add a signed tag to
>>> the commit at the tip of the history and ask the integrator to pull that
>>> signed tag. When the integrator runs `git pull`, the signed tag is
>>> automatically verified to assure that the history is not tampered with.
>>> In addition, the resulting merge commit records the content of the signed
>>> tag, so that other people can verify that the branch merged by the
>>> contributor was signed by the contributor, without fetching the signed tag
>>
>> I think you mean to say 'the branch merged by the integrator was signed
>> by the contributor'.
>
> Definitely. I'll update my local copy.
>
> Thanks for spotting this.

No worries. That's the whole point right? :D

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [PATCH] pulling signed tag: add howto document
  2012-01-17 23:29 ` [PATCH] pulling signed tag: add howto document Junio C Hamano
@ 2012-01-18 15:15   ` Marc Branchaud
  2012-01-18 21:22     ` Junio C Hamano
  0 siblings, 1 reply; 10+ messages in thread
From: Marc Branchaud @ 2012-01-18 15:15 UTC (permalink / raw)
  To: Junio C Hamano; +Cc: git

Overall a very understandable doc!  I've just a few linguistic comments:

On 12-01-17 06:29 PM, Junio C Hamano wrote:
> This time in a proper patch format...
> 
> Signed-off-by: Junio C Hamano <gitster@pobox.com>
> ---
>  * We may want to update Documentation/Makefile in such a way that we
>    do not have to manually maintain a subset of howto/ files that need to
>    be added to SP_ARTICLES list (i.e. asciidoc formatted). They are all
>    marked with "Content-type: text/asciidoc" so a trivial $(shell grep -l) 
>    might be all it takes. Hint, hint...
> 
>  Documentation/Makefile                             |    5 +-
>  .../howto/using-signed-tag-in-pull-request.txt     |  221 ++++++++++++++++++++
>  2 files changed, 225 insertions(+), 1 deletions(-)
>  create mode 100644 Documentation/howto/using-signed-tag-in-pull-request.txt
> 
> diff --git a/Documentation/Makefile b/Documentation/Makefile
> index 116f175..d40e211 100644
> --- a/Documentation/Makefile
> +++ b/Documentation/Makefile
> @@ -20,7 +20,10 @@ ARTICLES += everyday
>  ARTICLES += git-tools
>  ARTICLES += git-bisect-lk2009
>  # with their own formatting rules.
> -SP_ARTICLES = howto/revert-branch-rebase howto/using-merge-subtree user-manual
> +SP_ARTICLES = user-manual
> +SP_ARTICLES += howto/revert-branch-rebase
> +SP_ARTICLES += howto/using-merge-subtree
> +SP_ARTICLES += howto/using-signed-tag-in-pull-request
>  API_DOCS = $(patsubst %.txt,%,$(filter-out technical/api-index-skel.txt technical/api-index.txt, $(wildcard technical/api-*.txt)))
>  SP_ARTICLES += $(API_DOCS)
>  SP_ARTICLES += technical/api-index
> diff --git a/Documentation/howto/using-signed-tag-in-pull-request.txt b/Documentation/howto/using-signed-tag-in-pull-request.txt
> new file mode 100644
> index 0000000..a057f9a
> --- /dev/null
> +++ b/Documentation/howto/using-signed-tag-in-pull-request.txt
> @@ -0,0 +1,221 @@
> +From: Junio C Hamano <gitster@pobox.com>
> +Date: Tue, 17 Jan 2011 13:00:00 -0800
> +Subject: Using signed tag in pull requests
> +Abstract: Beginning v1.7.9, a contributor can push a signed tag to her
> + publishing repository and ask her integrator to pull it. This assures the
> + integrator that the pulled history is authentic and allows others to
> + later validate it.
> +Content-type: text/asciidoc
> +
> +Using signed tag in pull requests
> +=================================
> +
> +A typical distributed workflow using Git is for a contributor to fork a
> +project, build on it, publish the result to her public repository, and ask
> +the "upstream" person (often the owner of the project where she forked
> +from) to pull from her public repository. Requesting such a "pull" is made
> +easy by the `git request-pull` command.
> +
> +Earlier, a typical pull request may have started like this:
> +
> +------------
> + The following changes since commit 406da78032179...:
> +
> +   Froboz 3.2 (2011-09-30 14:20:57 -0700)
> +
> + are available in the git repository at:
> +
> +   example.com:/git/froboz.git for-xyzzy
> +------------
> +
> +followed by a shortlog of the changes and a diffstat.
> +
> +The request was for a branch name (e.g. `for-xyzzy`) in the public
> +repository of the contributor, and even though it stated where the
> +contributor forked her work from, the message did not say anything about
> +the commit to expect at the tip of the for-xyzzy branch. If the site that
> +hosts the public repository of the contributor cannot be fully trusted, it
> +was unnecessarily hard to make sure what was pulled by the integrator was
> +genuinely what the contributor had produced for the project. Also there
> +was no easy way for third-party auditors to later verify the resulting
> +history.
> +
> +Starting from Git release v1.7.9, a contributor can add a signed tag to
> +the commit at the tip of the history and ask the integrator to pull that
> +signed tag. When the integrator runs `git pull`, the signed tag is
> +automatically verified to assure that the history is not tampered with.
> +In addition, the resulting merge commit records the content of the signed
> +tag, so that other people can verify that the branch merged by the
> +contributor was signed by the contributor, without fetching the signed tag
> +used to validate the pull request separately and keeping it in the refs
> +namespace.
> +
> +This document describes the workflow between the contributor and the
> +integrator, using Git v1.7.9 or later.
> +
> +
> +A contributor or a lieutenant
> +-----------------------------
> +
> +After preparing her work to be pulled, the contributor uses `git tag -s`
> +to create a signed tag [*1*]:

Given that the rest of the text refers to the gist of this footnote, I think
it'd be better to put the note's text here instead of as a footnote.

> +
> +------------
> + $ git checkout work
> + $ ... "git pull" from sublieutenants, "git commit" your own work ...
> + $ git tag -s -m "Completed frotz feature" frotz-for-xyzzy work
> +------------
> +
> +and pushes the tag out to her publishing repository [*2*]. There is no

This footnote speaks of the example using a +, but the example does no such
thing.

> +need to push the `work` branch or anything else:
> +
> +------------
> + $ git push example.com:/git/froboz.git/ +frotz-for-xyzzy
> +------------
> +
> +Then the contributor prepares a message to request a "pull":
> +
> +------------
> + $ git request-pull v3.2 example.com:/git/froboz.git/ frotz-for-xyzzy >msg.txt
> +------------
> +
> +The arguments are:
> +
> +. the version of the integrator's commit the contributor based her work on;
> +. the URL of the repository, to which the contributor has pushed what she
> +  wants to get pulled; and
> +. the name of the tag the contributor wants to get pulled (earlier, she could
> +  write only a branch name here).
> +
> +The resulting msg.txt file begins like so:
> +
> +------------
> + The following changes since commit 406da78032179...:
> +
> +   Froboz 3.2 (2011-09-30 14:20:57 -0700)
> +
> + are available in the git repository at:
> +
> +   example.com:/git/froboz.git frotz-for-xyzzy
> +
> + for you to fetch changes up to 703f05ad5835c...:
> +
> +   Add tests and documentation for frotz (2011-12-02 10:02:52 -0800)
> +
> + -----------------------------------------------
> + Completed frotz feature
> + -----------------------------------------------
> +------------
> +
> +followed by a shortlog of the changes and a diffstat.  Comparing this with
> +the earlier illustration of the output from the traditional `git request-pull`
> +command, the reader should notice that:
> +
> +. The tip commit to expect is shown to the integrator; and
> +. The signed tag message is shown prominently between the dashed lines
> +  before the shortlog.
> +
> +The latter is why the contributor would want to justify why pulling her
> +work is worthwhile when creating the signed tag.  The contributor then
> +opens her favorite MUA, reads msg.txt, edits and sends it to her upstream
> +integrator.
> +
> +
> +Integrator
> +----------
> +
> +After receiving such a pull request message, the integrator fetches and
> +integrates the tag named in the request, with:
> +
> +------------
> + $ git pull example.com:/git/froboz.git/ frotz-for-xyzzy
> +------------
> +
> +This operation will always open an editor to allow the integrator to fine
> +tune the commit log message when merging a signed tag.  Also, pulling a
> +signed tag will always create a merge commit even when the integrator does
> +not have any new commits since the contributor's work forked (i.e. 'fast
> +forward'), so that the integrator can properly explain what the merge is
> +about and why it was made.
> +
> +In the editor, the integrator will see something like this:
> +
> +------------
> + Merge tag 'frotz-for-xyzzy' of example.com:/git/froboz.git/
> +
> + Completed frotz feature
> + # gpg: Signature made Fri 02 Dec 2011 10:03:01 AM PST using RSA key ID 96AFE6CB
> + # gpg: Good signature from "Con Tributor <nitfol@example.com>"
> +------------
> +
> +provided if the signature in the signed tag verifies correctly. Notice

s/if //

> +that the message recorded in the signed tag "Completed frotz feature"
> +appears here, and again that is why it is important for the contributor
> +to explain her work well when creating the signed tag.
> +
> +As usual, the lines commented with `#` are stripped out. The resulting
> +commit records the signed tag used for this validation in a hidden field
> +so that it can later be used by others to audit the history. There is no
> +need for the integrator to keep a separate copy of the tag in his
> +repository (i.e. `git tag -l` won't list frotz-for-xyzzy tag in the above

s/list/list the/

> +example), and there is no need to publish the tag to his public
> +repository, either.
> +
> +After the integrator responds to the pull request and her work becomes
> +part of the permanent history, the contributor can remove the tag from the
> +publishing repository, if she chooses, in order to keep the tag namespace
> +of her public repository clean, with:
> +
> +------------
> + $ git push example.com:/git/froboz.git :frotz-for-xyzzy
> +------------
> +
> +
> +Auditors
> +--------
> +
> +The `--show-signature` option can be given to `git log` or `git show` and
> +shows the verification status of the embedded signed tag in merge commits
> +created when the integrator responded to a pull request of a signed tag.
> +
> +A typical output from `git show --show-signature` may look like this:
> +
> +------------
> + $ git show --show-signature
> + commit 02306ef6a3498a39118aef9df7975bdb50091585
> + merged tag 'frotz-for-xyzzy'
> + gpg: Signature made Fri 06 Jan 2012 12:41:49 PM PST using RSA key ID 96AFE6CB
> + gpg: Good signature from "Con Tributor <nitfol@example.com>"
> + Merge: 406da78 703f05a
> + Author: Inte Grator <xyzzy@example.com>
> + Date:   Tue Jan 17 13:49:41 2012 -0800
> +
> +     Merge tag 'frotz-for-xyzzy'
> +
> +     Completed frotz feature
> +
> +     * tag 'frotz-for-xyzzy' (100 commits)
> +       Add tests and documentation for frotz
> +       ...
> +------------
> +
> +There is no need to fetch and keep a signed tag like `frotz-for-xyzzy`
> +that is used for frequent "pull" exchange in the long term just for such
> +auditing purposes, as the signature is recorded as part of the merge
> +commit.

I had trouble parsing this sentence.  I think part of the problem is that
it's comparing the actual implementation to an earlier proposed design that
was rejected.  So it's trying to sell the reader on a feature of the
implemented design, but the reader doesn't care.

How about this instead:

There is no need for the auditor to explicitly fetch the contributor's
signature, or to even be aware of what tag(s) the contributor and integrator
used to communicate the signature.  All the required information is recorded
as part of the merge commit.

> +
> +
> +Footnotes
> +---------
> +
> +*1* This example uses the `-m` option to create a signed tag with just a
> +single liner message, but this is for illustration purposes only. It is

s/single liner/single-line/

> +advisable to compose a well-written explanation of what the topic does to
> +justify why it is worthwhile for the integrator to pull it, as this
> +message will eventually become part of the final history after the
> +integrator responds to the pull request.
> +
> +*2* The example uses plus at the beginning of `+frotz-for-xyzzy` to allow
> +forcing the update of a tag, as the same contributor may want to reuse a
> +signed tag with the same name after the previous pull request has already
> +been responded to.

		M.

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [PATCH] pulling signed tag: add howto document
  2012-01-18 15:15   ` Marc Branchaud
@ 2012-01-18 21:22     ` Junio C Hamano
  2012-01-18 21:40       ` Marc Branchaud
  0 siblings, 1 reply; 10+ messages in thread
From: Junio C Hamano @ 2012-01-18 21:22 UTC (permalink / raw)
  To: Marc Branchaud; +Cc: git

Marc Branchaud <marcnarc@xiplink.com> writes:

>> +A contributor or a lieutenant
>> +-----------------------------
>> +
>> +After preparing her work to be pulled, the contributor uses `git tag -s`
>> +to create a signed tag [*1*]:
>
> Given that the rest of the text refers to the gist of this footnote, I think
> it'd be better to put the note's text here instead of as a footnote.

Hmm, I'll try to see how well it reads after moving the text here. Thanks.

>> +
>> +------------
>> + $ git checkout work
>> + $ ... "git pull" from sublieutenants, "git commit" your own work ...
>> + $ git tag -s -m "Completed frotz feature" frotz-for-xyzzy work
>> +------------
>> +
>> +and pushes the tag out to her publishing repository [*2*]. There is no
>
> This footnote speaks of the example using a +, but the example does no such
> thing.
>
>> +need to push the `work` branch or anything else:
>> +
>> +------------
>> + $ git push example.com:/git/froboz.git/ +frotz-for-xyzzy
>> +------------

Do you not see the plus in front of +'frotz-for-xyzzy' above, or am I
missing something?

>> +In the editor, the integrator will see something like this:
>> +
>> +------------
>> + Merge tag 'frotz-for-xyzzy' of example.com:/git/froboz.git/
>> +
>> + Completed frotz feature
>> + # gpg: Signature made Fri 02 Dec 2011 10:03:01 AM PST using RSA key ID 96AFE6CB
>> + # gpg: Good signature from "Con Tributor <nitfol@example.com>"
>> +------------
>> +
>> +provided if the signature in the signed tag verifies correctly. Notice
>
> s/if //

Noted.

>> +repository (i.e. `git tag -l` won't list frotz-for-xyzzy tag in the above
>
> s/list/list the/

Noted.

>> +There is no need to fetch and keep a signed tag like `frotz-for-xyzzy`
>> +that is used for frequent "pull" exchange in the long term just for such
>> +auditing purposes, as the signature is recorded as part of the merge
>> +commit.
>
> I had trouble parsing this sentence.  I think part of the problem is that
> it's comparing the actual implementation to an earlier proposed design that
> was rejected.  So it's trying to sell the reader on a feature of the
> implemented design, but the reader doesn't care.
>
> How about this instead:
>
> There is no need for the auditor to explicitly fetch the contributor's
> signature, or to even be aware of what tag(s) the contributor and integrator
> used to communicate the signature.  All the required information is recorded
> as part of the merge commit.

Ok, that is much easier to read.

>> +
>> +
>> +Footnotes
>> +---------
>> +
>> +*1* This example uses the `-m` option to create a signed tag with just a
>> +single liner message, but this is for illustration purposes only. It is
>
> s/single liner/single-line/

Noted.

Thanks.

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [PATCH] pulling signed tag: add howto document
  2012-01-18 21:22     ` Junio C Hamano
@ 2012-01-18 21:40       ` Marc Branchaud
  2012-01-18 22:27         ` Junio C Hamano
  0 siblings, 1 reply; 10+ messages in thread
From: Marc Branchaud @ 2012-01-18 21:40 UTC (permalink / raw)
  To: Junio C Hamano; +Cc: git

On 12-01-18 04:22 PM, Junio C Hamano wrote:
> Marc Branchaud <marcnarc@xiplink.com> writes:
>>> +
>>> +------------
>>> + $ git checkout work
>>> + $ ... "git pull" from sublieutenants, "git commit" your own work ...
>>> + $ git tag -s -m "Completed frotz feature" frotz-for-xyzzy work
>>> +------------
>>> +
>>> +and pushes the tag out to her publishing repository [*2*]. There is no
>>
>> This footnote speaks of the example using a +, but the example does no such
>> thing.
>>
>>> +need to push the `work` branch or anything else:
>>> +
>>> +------------
>>> + $ git push example.com:/git/froboz.git/ +frotz-for-xyzzy
>>> +------------
> 
> Do you not see the plus in front of +'frotz-for-xyzzy' above, or am I
> missing something?

Oops, I was tripped up because the footnote is attached to a sentence that my
addled mind associates with the previous "git tag" example.

It might be better to just move the footnote to the end of the next sentence.

		M.

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [PATCH] pulling signed tag: add howto document
  2012-01-18 21:40       ` Marc Branchaud
@ 2012-01-18 22:27         ` Junio C Hamano
  2012-01-18 22:35           ` Marc Branchaud
  0 siblings, 1 reply; 10+ messages in thread
From: Junio C Hamano @ 2012-01-18 22:27 UTC (permalink / raw)
  To: Marc Branchaud; +Cc: Junio C Hamano, git

Marc Branchaud <marcnarc@xiplink.com> writes:

> It might be better to just move the footnote to the end of the next sentence.

Ok. How does this version look?  The highlights are:

 * remove footnotes and spell them out inline, like "Note that..."

 * "a single liner" -> "a one-liner"

 * "publishing repository" -> "public repository". I often use the former
   when I want to differenciate a repository used to publish the work by a
   single owner from a shared public repository, so technically the wording
   could stay as-is, but I think it is clear that we mean publishing one
   not a shared one from the context of this document.

 * Drop the attempt to say "you would see these 'Good signature from...'
   if and only if the signature verifies OK" altogether. It is clear from
   the example that the signature was good.

 * Replace the paragraph that explains there is no need to keep and
   transfer signed tags for auditors with your version.

Thanks.

 .../howto/using-signed-tag-in-pull-request.txt     |   60 +++++++++----------
 1 files changed, 28 insertions(+), 32 deletions(-)

diff --git a/Documentation/howto/using-signed-tag-in-pull-request.txt b/Documentation/howto/using-signed-tag-in-pull-request.txt
index efac088..a1351c5 100644
--- a/Documentation/howto/using-signed-tag-in-pull-request.txt
+++ b/Documentation/howto/using-signed-tag-in-pull-request.txt
@@ -58,7 +58,7 @@ A contributor or a lieutenant
 -----------------------------
 
 After preparing her work to be pulled, the contributor uses `git tag -s`
-to create a signed tag [*1*]:
+to create a signed tag:
 
 ------------
  $ git checkout work
@@ -66,14 +66,27 @@ to create a signed tag [*1*]:
  $ git tag -s -m "Completed frotz feature" frotz-for-xyzzy work
 ------------
 
-and pushes the tag out to her publishing repository [*2*]. There is no
-need to push the `work` branch or anything else:
+Note that this example uses the `-m` option to create a signed tag with
+just a one-liner message, but this is for illustration purposes only. It
+is advisable to compose a well-written explanation of what the topic does
+to justify why it is worthwhile for the integrator to pull it, as this
+message will eventually become part of the final history after the
+integrator responds to the pull request (as we will see later).
+
+Then she pushes the tag out to her public repository:
 
 ------------
  $ git push example.com:/git/froboz.git/ +frotz-for-xyzzy
 ------------
 
-Then the contributor prepares a message to request a "pull":
+There is no need to push the `work` branch or anything else.
+
+Note that the above command line used a plus sign at the beginning of
+`+frotz-for-xyzzy` to allow forcing the update of a tag, as the same
+contributor may want to reuse a signed tag with the same name after the
+previous pull request has already been responded to.
+
+The contributor then prepares a message to request a "pull":
 
 ------------
  $ git request-pull v3.2 example.com:/git/froboz.git/ frotz-for-xyzzy >msg.txt
@@ -148,22 +161,21 @@ In the editor, the integrator will see something like this:
  # gpg: Good signature from "Con Tributor <nitfol@example.com>"
 ------------
 
-provided if the signature in the signed tag verifies correctly. Notice
-that the message recorded in the signed tag "Completed frotz feature"
-appears here, and again that is why it is important for the contributor
-to explain her work well when creating the signed tag.
+Notice that the message recorded in the signed tag "Completed frotz
+feature" appears here, and again that is why it is important for the
+contributor to explain her work well when creating the signed tag.
 
 As usual, the lines commented with `#` are stripped out. The resulting
 commit records the signed tag used for this validation in a hidden field
 so that it can later be used by others to audit the history. There is no
 need for the integrator to keep a separate copy of the tag in his
-repository (i.e. `git tag -l` won't list frotz-for-xyzzy tag in the above
-example), and there is no need to publish the tag to his public
+repository (i.e. `git tag -l` won't list the `frotz-for-xyzzy` tag in the
+above example), and there is no need to publish the tag to his public
 repository, either.
 
 After the integrator responds to the pull request and her work becomes
-part of the permanent history, the contributor can remove the tag from the
-publishing repository, if she chooses, in order to keep the tag namespace
+part of the permanent history, the contributor can remove the tag from
+her public repository, if she chooses, in order to keep the tag namespace
 of her public repository clean, with:
 
 ------------
@@ -199,23 +211,7 @@ A typical output from `git show --show-signature` may look like this:
        ...
 ------------
 
-There is no need to fetch and keep a signed tag like `frotz-for-xyzzy`
-that is used for frequent "pull" exchange in the long term just for such
-auditing purposes, as the signature is recorded as part of the merge
-commit.
-
-
-Footnotes
----------
-
-*1* This example uses the `-m` option to create a signed tag with just a
-single liner message, but this is for illustration purposes only. It is
-advisable to compose a well-written explanation of what the topic does to
-justify why it is worthwhile for the integrator to pull it, as this
-message will eventually become part of the final history after the
-integrator responds to the pull request.
-
-*2* The example uses plus at the beginning of `+frotz-for-xyzzy` to allow
-forcing the update of a tag, as the same contributor may want to reuse a
-signed tag with the same name after the previous pull request has already
-been responded to.
+There is no need for the auditor to explicitly fetch the contributor's
+signature, or to even be aware of what tag(s) the contributor and integrator
+used to communicate the signature.  All the required information is recorded
+as part of the merge commit.

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [PATCH] pulling signed tag: add howto document
  2012-01-18 22:27         ` Junio C Hamano
@ 2012-01-18 22:35           ` Marc Branchaud
  0 siblings, 0 replies; 10+ messages in thread
From: Marc Branchaud @ 2012-01-18 22:35 UTC (permalink / raw)
  To: Junio C Hamano; +Cc: git

On 12-01-18 05:27 PM, Junio C Hamano wrote:
> Marc Branchaud <marcnarc@xiplink.com> writes:
> 
>> It might be better to just move the footnote to the end of the next sentence.
> 
> Ok. How does this version look?  The highlights are:
> 
>  * remove footnotes and spell them out inline, like "Note that..."
> 
>  * "a single liner" -> "a one-liner"

IMO "one-liner" should be "one-line", but toMAYto toMAHto...

The rest looks good.

		M.

^ permalink raw reply	[flat|nested] 10+ messages in thread

end of thread, other threads:[~2012-01-18 22:35 UTC | newest]

Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2012-01-17 22:53 Using signed tag in pull requests Junio C Hamano
2012-01-17 23:29 ` [PATCH] pulling signed tag: add howto document Junio C Hamano
2012-01-18 15:15   ` Marc Branchaud
2012-01-18 21:22     ` Junio C Hamano
2012-01-18 21:40       ` Marc Branchaud
2012-01-18 22:27         ` Junio C Hamano
2012-01-18 22:35           ` Marc Branchaud
2012-01-18  1:07 ` Using signed tag in pull requests Andrew Ardill
2012-01-18  1:47   ` Junio C Hamano
2012-01-18  2:34     ` Andrew Ardill

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).