Skip to content

CONTRIBUTING.md

Latest commit

 

History

History
87 lines (62 loc) · 2.97 KB

CONTRIBUTING.md

File metadata and controls

87 lines (62 loc) · 2.97 KB

Contributing

Verified commits

Commits that show "Verified" on GitHub indicate the author cryptographically signed them. Options:

  • GitHub web UI: Edits via github.com are signed automatically.
  • SSH signing (recommended): Upload an SSH public key as a Signing Key in GitHub Settings (not just auth), then: 
    git config --global user.name "Thor Thor"
git config --global user.email "codethor@gmail.com"
PUBKEY="${HOME}/.ssh/id_ed25519.pub"
test -f "$PUBKEY" || { echo "Missing $PUBKEY. Create/reuse an SSH keypair outside the repo."; exit 1; }
git config --global gpg.format ssh
git config --global commit.gpgsign true
git config --global user.signingkey "$PUBKEY"
  • GPG signing: Configure GPG and add your public key to GitHub.

No private key material or key-generation scripts belong in this repo.

Local commit guardrail (optional)

To reject Co-authored-by trailers before commit creation:

cp scripts/hooks/commit-msg .git/hooks/commit-msg && chmod +x .git/hooks/commit-msg

This does not modify global git config.

Requirements

  • make verify must pass before any PR is merged.
  • Do not weaken tests or relax validation.
  • Do not add self-updating or auto-regenerating behavior for vector/golden files.
  • Deterministic vectors must remain deterministic by construction.

Workflow

  1. Fork and branch from main.
  2. Run make verify locally (includes fmt, lint, test, test-race, fuzz, build, vectors, test-repeat).
  3. Ensure make vectors does not modify committed vector files (byte-for-byte stable).
  4. Submit PR. CI must pass.

Publish checklist

From a clean working tree, run before pushing:

./scripts/pre-push-gate.sh

To confirm commit signing:

git config --global --get gpg.format
git config --global --get commit.gpgsign
git config --global --get user.signingkey

Then: git push -u origin main, tag v0.1.0, push tag, create GitHub Release with Docker/break-NAIVE/SAFE-resists notes.

Branch and Dependency Policies

Branch Management

  • Main branch: Protected - no direct pushes
  • Feature branches: Create from main, submit PR
  • Merge requirements: All tests must pass, at least 1 review

Dependency Updates

This repository uses pinned dependencies for deterministic cryptographic builds.

Process for updates:

  1. Check security alerts in GitHub Security tab
  2. Review changelog for cryptographic implications
  3. Update single dependency: go get -u package@version
  4. Run full verification: make verify
  5. Commit with attribution: git commit -m "deps: update package to vX.X.X"

NO automated dependency updates - all commits must maintain Thor Thor attribution.

Policy

  • Vector generation uses internal/drbg and deterministic handshake paths only. See tests/policy/ for import and symbol guards.
  • Lab-server and production handshake paths must never use deterministic APIs.
  • All crypto API failures must surface as generic ErrDecrypt (no oracle leakage).