From 20d8da525b1916fa42111e4c558d69c8cf91e874 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Pierret=20=28fepitre=29?= Date: Fri, 8 Nov 2019 19:58:10 +0100 Subject: [PATCH 1/4] contrib: precise QCR review procedure --- developer/general/package-contributions.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/developer/general/package-contributions.md b/developer/general/package-contributions.md index fb4e753b..36f3e929 100644 --- a/developer/general/package-contributions.md +++ b/developer/general/package-contributions.md @@ -72,6 +72,8 @@ The review procedure is as follows: If the pull request passes the QCR's review, the QCR pushes a [signed][sig] tag to the HEAD commit stating that it has passed review and fast-forward merges the pull request. If the pull request does not pass the QCR's review, the QCR leaves a comment on the pull request explaining why not, and the QCR may decide to close the pull request. +In all the cases, the first condition to be validated by the QCR's review is to ensure that the current packaging (RPM, DEB, etc.) **will not** hijack any core packages of [QubesOS] and of course, none of [QubesOS-contrib] packages too. + Package Maintainers ------------------- If you contribute a package, we assume that you will be the maintainer of that package, unless you tell us otherwise. @@ -93,6 +95,7 @@ If you do not act on your maintainer duties for a given package for an extended [sig]: /doc/code-signing/ [coding guidelines]: /doc/coding-style/ [qubes-devel mailing list]: /support/#qubes-devel +[QubesOS]: https://github.com/QubesOS [QubesOS-contrib]: https://github.com/QubesOS-contrib [qubes-issues]: https://github.com/QubesOS/qubes-issues/issues/ From e5bfb48f8d2bf7ae31aa2ca6fbc84d70d5b4618c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Pierret=20=28fepitre=29?= Date: Fri, 8 Nov 2019 22:01:59 +0100 Subject: [PATCH 2/4] contrib: improvements from Marek's suggestions --- developer/general/package-contributions.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/developer/general/package-contributions.md b/developer/general/package-contributions.md index 36f3e929..4339b577 100644 --- a/developer/general/package-contributions.md +++ b/developer/general/package-contributions.md @@ -72,7 +72,13 @@ The review procedure is as follows: If the pull request passes the QCR's review, the QCR pushes a [signed][sig] tag to the HEAD commit stating that it has passed review and fast-forward merges the pull request. If the pull request does not pass the QCR's review, the QCR leaves a comment on the pull request explaining why not, and the QCR may decide to close the pull request. -In all the cases, the first condition to be validated by the QCR's review is to ensure that the current packaging (RPM, DEB, etc.) **will not** hijack any core packages of [QubesOS] and of course, none of [QubesOS-contrib] packages too. +In all the cases, the first condition to be validated by the QCR's review is to ensure that the contribution **will not** hijack any core packages of [QubesOS] and of course, none of the [QubesOS-contrib] packages too. More precisely, particular attention to the whole build pipeline will be made with a specific review of: + - Package dependencies, + - Build scripts, + - RPM/DEB installation scripts (e.g. looking at constraints who would hijack other packages), + - Makefiles, + +and any steps which would result in partial/total compromission of legetimate components. Package Maintainers ------------------- From a550680600c53ce8fb59f5f5cc24be7fc60c6a6d Mon Sep 17 00:00:00 2001 From: Andrew David Wong Date: Fri, 8 Nov 2019 21:27:16 -0600 Subject: [PATCH 3/4] Fix typos --- developer/general/package-contributions.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/developer/general/package-contributions.md b/developer/general/package-contributions.md index 4339b577..49410b47 100644 --- a/developer/general/package-contributions.md +++ b/developer/general/package-contributions.md @@ -78,7 +78,7 @@ In all the cases, the first condition to be validated by the QCR's review is to - RPM/DEB installation scripts (e.g. looking at constraints who would hijack other packages), - Makefiles, -and any steps which would result in partial/total compromission of legetimate components. +and any steps which would result in partial/total compromise of legitimate components. Package Maintainers ------------------- From 96069def4695ebad0ef0a00af6967c196c890b9c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Pierret=20=28fepitre=29?= Date: Mon, 11 Nov 2019 17:35:34 +0100 Subject: [PATCH 4/4] contrib: improvements from Marek's comments --- developer/general/package-contributions.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/developer/general/package-contributions.md b/developer/general/package-contributions.md index 49410b47..bc52aae5 100644 --- a/developer/general/package-contributions.md +++ b/developer/general/package-contributions.md @@ -74,9 +74,11 @@ The review procedure is as follows: In all the cases, the first condition to be validated by the QCR's review is to ensure that the contribution **will not** hijack any core packages of [QubesOS] and of course, none of the [QubesOS-contrib] packages too. More precisely, particular attention to the whole build pipeline will be made with a specific review of: - Package dependencies, - - Build scripts, + - Build scripts (including downloaded ones), + - All downloaded components should be verified against static hash, - RPM/DEB installation scripts (e.g. looking at constraints who would hijack other packages), - Makefiles, + - Package build [reproducible] and any steps which would result in partial/total compromise of legitimate components. @@ -104,4 +106,4 @@ If you do not act on your maintainer duties for a given package for an extended [QubesOS]: https://github.com/QubesOS [QubesOS-contrib]: https://github.com/QubesOS-contrib [qubes-issues]: https://github.com/QubesOS/qubes-issues/issues/ - +[reproducible]: https://reproducible-builds.org/