From b8f5215d0ee70d263c2f74b3f36a9fcbcc4c9b9e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20K=C3=BCthe?= Date: Sun, 1 Jan 2023 19:46:44 +0100 Subject: [PATCH] add small security tutorial for git MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Marek Küthe --- docs/entitydb/format-rules.md | 2 +- docs/entitydb/security_in_git.md | 18 ++++++++++++++++++ 2 files changed, 19 insertions(+), 1 deletion(-) create mode 100644 docs/entitydb/security_in_git.md diff --git a/docs/entitydb/format-rules.md b/docs/entitydb/format-rules.md index 7916045..4b285fa 100644 --- a/docs/entitydb/format-rules.md +++ b/docs/entitydb/format-rules.md @@ -30,7 +30,7 @@ The edb repository currently contains two different scripts: | `test.sh` | Tests the JSON files for validity | | `build_maxlen_filter.sh` | Builds a bird-compatible filter list | -## Do I need to sqash my commits before setting a PR? +## Do I need to squash my commits before setting a PR? Yes and No. Changes to files should be traceable. Therefore, a commit is recommended for every change. However, we also want to avoid more than 30 commits for one file in one PR. Therefore, if there are still mistakes in the initial registration, it would be nice to keep the number of commits within limits. With the following commands you can squash two commits to one: diff --git a/docs/entitydb/security_in_git.md b/docs/entitydb/security_in_git.md new file mode 100644 index 0000000..981f697 --- /dev/null +++ b/docs/entitydb/security_in_git.md @@ -0,0 +1,18 @@ + +# Security in Git + +Our entitydb is on codeberg.org, a free Git server based on Gitea. + +## Two-factor authentication +Two-factor authentication requires entering a one-time code or using a physical security key in addition to the password when logging into Codeberg. If the password is compressed, an attacker cannot log in to the account. +- [Setting up two-factor authentication](https://docs.codeberg.org/security/2fa/) +- [Free authenticator apps on F-Droid](https://search.f-droid.org/?q=totp) + +## Integrity of the connection to Codeberg +When connecting to Codeberg, an SSH connection is often used. To prevent MITM attacks, you can verify the SSH fingerprint. +- [Verifying you're connected to Codeberg using SSH fingerprints](https://docs.codeberg.org/security/ssh-fingerprint/) + +## Sign the commits +To verify the authenticity and integrity of commits, it is recommended to sign them with GPG. +- [Signing Your Work](https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work) +- [Signing commits](https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits)