aboutsummaryrefslogtreecommitdiff
path: root/doc/contributing.texi
diff options
context:
space:
mode:
authorMarius Bakke <mbakke@fastmail.com>2020-05-05 20:43:21 +0200
committerMarius Bakke <mbakke@fastmail.com>2020-05-05 20:43:21 +0200
commit87a40d7203a813921b3ef0805c2b46c0026d6c31 (patch)
treecebad70c1df30969005c18c4d9faa39d7d80cbf6 /doc/contributing.texi
parentba151b7e1a9cc0baf932b5c5e0c916e54d2e27f4 (diff)
parent751d1f01e4f0607d41e4c859d944753b18466652 (diff)
downloadguix-87a40d7203a813921b3ef0805c2b46c0026d6c31.tar
guix-87a40d7203a813921b3ef0805c2b46c0026d6c31.tar.gz
Merge branch 'master' into core-updates
Diffstat (limited to 'doc/contributing.texi')
-rw-r--r--doc/contributing.texi24
1 files changed, 22 insertions, 2 deletions
diff --git a/doc/contributing.texi b/doc/contributing.texi
index 31b875f817..9583120742 100644
--- a/doc/contributing.texi
+++ b/doc/contributing.texi
@@ -1187,18 +1187,38 @@ the OpenPGP key you will use to sign commits, and giving its fingerprint
(see below). See @uref{https://emailselfdefense.fsf.org/en/}, for an
introduction to public-key cryptography with GnuPG.
+@c See <https://sha-mbles.github.io/>.
+Set up GnuPG such that it never uses the SHA1 hash algorithm for digital
+signatures, which is known to be unsafe since 2019, for instance by
+adding the following line to @file{~/.gnupg/gpg.conf} (@pxref{GPG
+Esoteric Options,,, gnupg, The GNU Privacy Guard Manual}):
+
+@example
+digest-algo sha512
+@end example
+
@item
Maintainers ultimately decide whether to grant you commit access,
usually following your referrals' recommendation.
@item
+@cindex OpenPGP, signed commits
If and once you've been given access, please send a message to
@email{guix-devel@@gnu.org} to say so, again signed with the OpenPGP key
you will use to sign commits (do that before pushing your first commit).
That way, everyone can notice and ensure you control that OpenPGP key.
-@c TODO: Add note about adding the fingerprint to the list of authorized
-@c keys once that has stabilized.
+@quotation Important
+Before you can push for the first time, maintainers must:
+
+@enumerate
+@item
+add your OpenPGP key to the @code{keyring} branch;
+@item
+add your OpenPGP fingerprint to the @file{.guix-authorizations} file of
+the branch(es) you will commit to.
+@end enumerate
+@end quotation
@item
Make sure to read the rest of this section and... profit!