This PR include text copy/pasted from other repositories. To avoid divergence, the original was redirected to the future section of CONTRIBUTING.md where they are copied.
[DOCS] complete CONTRIBUTING.md #54
:wip-contributing into forgejo-development b0a2b83f9c
to e44e5cb7de
e44e5cb7de
to 832a9602d9
I find it a bit disturbing, that 50 lines of this document are only useful to the secret keepers (I don't mind this information being public).
I would be in favor of splitting the contributing document into multiple documents, depending on the audience. For instance:
- keep everything relevant to occasionnal contributors into
CONTRIBUTING.md - move the
Release processandRelease signing keys managementsections into a separate file (contributing/RELEASE_PROCESS.md) - relevant for the release team - move the
Secretsstuff into a separate file (contributing/SECRETS.md) - relevant for the secrets keeper team - move the
Developer Certificate of Origininto a separate file (contributing/DCO.md) - offload "legal" documents (just like the CoC is linked and not copy/pasted)
The goal would be to keep the CONTRIBUTING.md short, but complete:
- any new contributor can be expected to read it completely
- every contributing question has an answer or a link to the answer
@ -6,0 +6,4 @@
# Code of Conduct, Well Being and Moderation teams
Forgejo strive to be an inclusive project where everyone can participate in a safe environment. The [Well Being](https://codeberg.org/org/forgejo/teams/well-being) team is doing its best to defuse tensions before they escalate and is available to answer all requests sent its way. When diplomacy fails, the [Moderation](https://codeberg.org/org/forgejo/teams/moderation) will be forced to act to put a stop to actions that are contrary to the [Code of Conduct](https://www.contributor-covenant.org/version/2/1/code_of_conduct/).
I guess the 3 links to the code of conduct, should link to our copy of it and not https://www.contributor-covenant.org :
https://codeberg.org/forgejo/code-of-conduct/src/branch/master/code-of-conduct.md (should it be renamed "README.md" to be visibile under https://codeberg.org/forgejo/code-of-conduct ?)
Done and done.
I find it a bit disturbing, that 50 lines of this document are only useful to the secret keepers (I don't mind this information being public).
I will split as you suggest.
832a9602d9
to b78041ffa3
@oliverpool I like it, better organized :-)
b78041ffa3
to a3c2f72dac
Looks good so far. I have some remarks.
@ -0,0 +1,26 @@
# Code of Conduct, Well Being and Moderation teams
Forgejo strive to be an inclusive project where everyone can participate in a safe environment. The [Well Being](https://codeberg.org/org/forgejo/teams/well-being) team is doing its best to defuse tensions before they escalate and is available to answer all requests sent its way. When diplomacy fails, the [Moderation](https://codeberg.org/org/forgejo/teams/moderation) will be forced to act to put a stop to actions that are contrary to the [Code of Conduct](https://codeberg.org/forgejo/code-of-conduct).
strive -> strives
(a s suffix, because Forgejo is singular).
Yes I addressed this in the Matrix room a few hours ago.
Glad you caught it here 🙂
Yepp, I remember. But figured I bring it up because I haven't seen a review from you before.
I hope that's okay with you.
No by all means, we're a team effort here 🙂
Done.
@ -0,0 +10,4 @@
### [Well Being](https://codeberg.org/org/forgejo/teams/well-being)
Its goal is to defuse tensions.
I understand that „its" refers to the team. But given that it is composed of people, perhaps we should go with „Their"?
@ -0,0 +2,4 @@
## Shared user: release-team
The [release-team](https://codeberg.org/release-team) user authors and signs all releases. The associated email is release@forgejo.org.
A release is authored?
Indeed, a release is "published", not authored.
@ -0,0 +4,4 @@
The [release-team](https://codeberg.org/release-team) user authors and signs all releases. The associated email is release@forgejo.org.
The public GPG key used to sign the releases is [EB114F5E6C0DC2BCDD183550A4B61A2DC5923710](https://codeberg.org/release-team.gpg) `Forgejo Releases <release@forgejo.org>`
Does it make sense to also publish the fingerprint?
Do you mean it should be removed?
I could be too cautious here, but I remember from key-signing parties, that the key ID is „not enough" and the option to compare fingerprints offers an additional layer of trust.
In this case the key ID is for verifying the signature rather than signing another key. It think this is fine.
@ -0,0 +22,4 @@
## Release process
* Reset the vX.Y/forgejo-integration branch to the Gitea tag vX.Y.Z
* Merge all feature branches into the vX.Y/forgejo-integration branch
That is with a merge commit? Do we have to take into account fast-forwarding?
That is an implementation detail. It will be clearer if all are merged instead of having ome fast forwarded.
@ -0,0 +30,4 @@
## Release signing keys management
A GPG master key with no expiration date is created and shared with members of the Owners team via encrypted email. A subkey with a one year expiration date is created and stored in the secrets repository, to be used by the CI pipeline. The public master key is stored in the secrets repository and published where relevant.
Should we document the expiration date somewhere? These kind of things tend to break (see also TLS certificates).
Very good point, added one here #58 and document it so that it is done next year.
@ -0,0 +4,4 @@
## Get started
1. Make sure you have a GPG Key, or [create one](https://github.com/NicoHood/gpgit#12-key-generation)
Does it make sense to mirror that repo in case it vanishes at some point?
It's easy enough to find similar instructions, even if this vanishes.
@ -0,0 +10,4 @@
# Commands for the other person
$ gpg --import public_key.asc
# The following command will open a prompt, with the available public keys.
# Chosse the one you just added and all secrets will be re-encrypted with this new key.
Choose instead of Chosse.
@ -0,0 +19,4 @@
```
$ gopass clone git@codeberg.org:Forgejo/gopass.git
```
5. Ensure everything looks fine
That's quite vague, I think.
replaced with "Check the consistency of the gopass storage"
@ -0,0 +21,4 @@
```
5. Ensure everything looks fine
```
$ gopass fsck
What is the expected output? An exit code of 0?
I think it is reasonable to assume the reader will figure that out by reading the documentation. What matters is the reminder to run the command rather than a detailed explanation of how it works.
@ -0,0 +2,4 @@
The [security team](https://codeberg.org/org/forgejo/teams/security) handle security vulnerabilities. It handles sensitive security-related issues reported to [security@forgejo.org](mailto:security@forgejo.org) using [encryption](https://keyoxide.org/security@forgejo.org).
The security team also keeps the content of the https://codeberg.org/forgejo/website/src/branch/main/public/.well-known/security.txt file up to date.
Can we link the security.txt?
https://codeberg.org/forgejo/website/src/branch/main/public/.well-known/security.txt is a link to security.txt I'm not sure what you are suggesting?
[security.txt](https://codeberg.org/forgejo/website/src/branch/main/public/.well-known/security.txt) instead of dropping the link.
@ -0,0 +4,4 @@
The security team also keeps the content of the https://codeberg.org/forgejo/website/src/branch/main/public/.well-known/security.txt file up to date.
The private GPG key for `security@forgejo.org` is shared among all members of the security team and not stored online.
Do we need to consider rotation here?
E.g. after a new government and people changed in the team.
Yes but I also think it is fine to leave that for later. Doing it properly will require discussions that should happen in a separate issue.
@ -0,0 +42,4 @@
## Feature branches
All *Feature branches* are based on the \*forgejo-development branch which provides and other development tools and documenation.
Backslash on purpose?
It is confusing indeed, I replaced that with {vX.Y/,}forgejo-development
@ -67,3 +45,2 @@
## Thanks to ...
If you are interested in making forgejo better, either by reporting a bug or by changing the governance, please [take a look at the contribution guide](CONTRIBUTING.md).
Forgejo or forgejo?
Forgejo is a proper noun, therefore, yes the "F" should be capitalized.
I was more thinking along the lines of having a consisting casing.
a3c2f72dac
to 88a2c7eeb3
@ -0,0 +9,4 @@
## Grant applications
* [NLnet December 1st 2022](https://codeberg.org/forgejo/funding/issues/1)
I created issue 4 in that repo just now for the UI/UX application that I'm working on since two weeks.
6c0f23a8cf
to d78f1f4316
This is already a major improvement. Let's get this in.
Nitpicks can be addressed by a follow-up PR.
@ -0,0 +19,4 @@
### [Moderation](https://codeberg.org/org/forgejo/teams/moderation)
Its goal is to enforce the [Code of Conduct](https://codeberg.org/forgejo/code-of-conduct) when diplomacy fails.
Ah, well. Can be turned to „their" in a future update.
I wasn't sure, whether I should point every occassion.
@ -0,0 +2,4 @@
## Shared user: release-team
The [release-team](https://codeberg.org/release-team) user publishes and signs all releases. The associated email is release@forgejo.org.
Should the mail be marked up with mailto:?
d78f1f4316
to 5908c21516
Archived
Archived
Archived
Archived
Archived
Archived
Archived
Archived
Archived
Archived
Archived
Archived
Archived
Archived
Archived
Archived
Archived
Archived
Archived
Archived
Archived
Archived
Archived
Archived
Archived
No due date set.
No dependencies set.
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?