summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--b4/__init__.py25
-rw-r--r--man/b4.568
-rw-r--r--man/b4.5.rst20
3 files changed, 46 insertions, 67 deletions
diff --git a/b4/__init__.py b/b4/__init__.py
index b757780..7d689a0 100644
--- a/b4/__init__.py
+++ b/b4/__init__.py
@@ -97,12 +97,7 @@ DEFAULT_CONFIG = {
# check: print an attaboy when attestation is found
# softfail: print a warning when no attestation found
# hardfail: exit with an error when no attestation found
- 'attestation-policy': 'check',
- # "gpg" (whatever gpg is configured to do) or "tofu" to force tofu mode
- 'attestation-trust-model': 'gpg',
- # strict: must match one of the uids on the key to pass
- # loose: any valid and trusted key will be accepted
- 'attestation-uid-match': 'loose',
+ 'attestation-policy': 'softfail',
# How many days before we consider attestation too old?
'attestation-staleness-days': '30',
# Should we check DKIM signatures if we don't find any other attestation?
@@ -499,6 +494,11 @@ class LoreSeries:
addmysob = False
attpolicy = config['attestation-policy']
+ try:
+ maxdays = int(config['attestation-staleness-days'])
+ except ValueError:
+ logger.info('WARNING: attestation-staleness-days must be an int')
+ maxdays = 0
# Loop through all patches and see if attestation is the same for all of them,
# since it usually is
@@ -513,7 +513,7 @@ class LoreSeries:
attsame = False
break
- checkmark, trailers, attcrit = lmsg.get_attestation_trailers(attpolicy)
+ checkmark, trailers, attcrit = lmsg.get_attestation_trailers(attpolicy, maxdays)
if attref is None:
attref = trailers
attmark = checkmark
@@ -551,7 +551,7 @@ class LoreSeries:
logger.info(' %s', lmsg.full_subject)
else:
- checkmark, trailers, critical = lmsg.get_attestation_trailers(attpolicy)
+ checkmark, trailers, critical = lmsg.get_attestation_trailers(attpolicy, maxdays)
logger.info(' %s %s', checkmark, lmsg.full_subject)
for trailer in trailers:
logger.info(' %s', trailer)
@@ -1022,11 +1022,14 @@ class LoreMessage:
attestor = LoreAttestorPatatt(passing, identity, signtime, keysrc, keyalgo, errors)
self._attestors.append(attestor)
- def get_attestation_trailers(self, attpolicy: str) -> Tuple[str, list, bool]:
+ def get_attestation_trailers(self, attpolicy: str, maxdays: int = 0) -> Tuple[str, list, bool]:
trailers = list()
checkmark = None
critical = False
for attestor in self.attestors:
+ if maxdays and not attestor.check_time_drift(self.date, maxdays):
+ logger.debug('The time drift is too much, marking as non-passing')
+ attestor.passing = False
if not attestor.passing:
# Is it a person-trailer for which we have a key?
if attestor.level == 'person':
@@ -1540,12 +1543,12 @@ class LoreAttestor:
return '%s/%s' % (mode, self.identity)
- def check_time_drift(self, emldate, maxdays: int = 7) -> bool:
+ def check_time_drift(self, emldate, maxdays: int = 30) -> bool:
if not self.passing or self.signtime is None:
return False
try:
- sigdate = datetime.datetime.utcfromtimestamp(int(self.signtime))
+ sigdate = datetime.datetime.utcfromtimestamp(int(self.signtime)).replace(tzinfo=datetime.timezone.utc)
except: # noqa
self.errors.append('failed parsing signature date: %s' % self.signtime)
return False
diff --git a/man/b4.5 b/man/b4.5
index 496525d..fabacc0 100644
--- a/man/b4.5
+++ b/man/b4.5
@@ -85,19 +85,19 @@ msgid Message ID to process, or pipe a raw message
.B \-h\fP,\fB \-\-help
show this help message and exit
.TP
-.BI \-o \ OUTDIR\fP,\fB \ \-\-outdir \ OUTDIR
+.BI \-o \ OUTDIR\fR,\fB \ \-\-outdir \ OUTDIR
Output into this directory (or use \- to output mailbox contents to stdout)
.TP
-.BI \-p \ USEPROJECT\fP,\fB \ \-\-use\-project \ USEPROJECT
+.BI \-p \ USEPROJECT\fR,\fB \ \-\-use\-project \ USEPROJECT
Use a specific project instead of guessing (linux\-mm, linux\-hardening, etc)
.TP
.B \-c\fP,\fB \-\-check\-newer\-revisions
Check if newer patch revisions exist
.TP
-.BI \-n \ WANTNAME\fP,\fB \ \-\-mbox\-name \ WANTNAME
+.BI \-n \ WANTNAME\fR,\fB \ \-\-mbox\-name \ WANTNAME
Filename to name the mbox file
.TP
-.BI \-m \ LOCALMBOX\fP,\fB \ \-\-use\-local\-mbox \ LOCALMBOX
+.BI \-m \ LOCALMBOX\fR,\fB \ \-\-use\-local\-mbox \ LOCALMBOX
Instead of grabbing a thread from lore, process this mbox file
.TP
.B \-C\fP,\fB \-\-no\-cache
@@ -124,25 +124,25 @@ msgid Message ID to process, or pipe a raw message
.B \-h\fP,\fB \-\-help
show this help message and exit
.TP
-.BI \-o \ OUTDIR\fP,\fB \ \-\-outdir \ OUTDIR
+.BI \-o \ OUTDIR\fR,\fB \ \-\-outdir \ OUTDIR
Output into this directory (or use \- to output mailbox contents to stdout)
.TP
-.BI \-p \ USEPROJECT\fP,\fB \ \-\-use\-project \ USEPROJECT
+.BI \-p \ USEPROJECT\fR,\fB \ \-\-use\-project \ USEPROJECT
Use a specific project instead of guessing (linux\-mm, linux\-hardening, etc)
.TP
.B \-c\fP,\fB \-\-check\-newer\-revisions
Check if newer patch revisions exist
.TP
-.BI \-n \ WANTNAME\fP,\fB \ \-\-mbox\-name \ WANTNAME
+.BI \-n \ WANTNAME\fR,\fB \ \-\-mbox\-name \ WANTNAME
Filename to name the mbox file
.TP
-.BI \-m \ LOCALMBOX\fP,\fB \ \-\-use\-local\-mbox \ LOCALMBOX
+.BI \-m \ LOCALMBOX\fR,\fB \ \-\-use\-local\-mbox \ LOCALMBOX
Instead of grabbing a thread from lore, process this mbox file
.TP
.B \-C\fP,\fB \-\-no\-cache
Do not use local cache
.TP
-.BI \-v \ WANTVER\fP,\fB \ \-\-use\-version \ WANTVER
+.BI \-v \ WANTVER\fR,\fB \ \-\-use\-version \ WANTVER
Get a specific version of the patch/series
.TP
.B \-t\fP,\fB \-\-apply\-cover\-trailers
@@ -163,7 +163,7 @@ Add a lore.kernel.org/r/ link to every patch
.B \-Q\fP,\fB \-\-quilt\-ready
Save mbox patches in a quilt\-ready folder
.TP
-.BI \-P \ CHERRYPICK\fP,\fB \ \-\-cherry\-pick \ CHERRYPICK
+.BI \-P \ CHERRYPICK\fR,\fB \ \-\-cherry\-pick \ CHERRYPICK
Cherry\-pick a subset of patches (e.g. "\-P 1\-2,4,6\-", "\-P _" to use just the msgid specified, or "\-P *globbing*" to match on commit subject)
.TP
.B \-g\fP,\fB \-\-guess\-base
@@ -195,13 +195,13 @@ patchfile Patches to attest
.B \-h\fP,\fB \-\-help
show this help message and exit
.TP
-.BI \-f \ SENDER\fP,\fB \ \-\-from \ SENDER
+.BI \-f \ SENDER\fR,\fB \ \-\-from \ SENDER
OBSOLETE: this option does nothing and will be removed
.TP
.B \-n\fP,\fB \-\-no\-submit
OBSOLETE: this option does nothing and will be removed
.TP
-.BI \-o \ OUTPUT\fP,\fB \ \-\-output \ OUTPUT
+.BI \-o \ OUTPUT\fR,\fB \ \-\-output \ OUTPUT
OBSOLETE: this option does nothing and will be removed
.UNINDENT
.UNINDENT
@@ -222,10 +222,10 @@ msgid Message ID to process, or pipe a raw message
.B \-h\fP,\fB \-\-help
show this help message and exit
.TP
-.BI \-g \ GITDIR\fP,\fB \ \-\-gitdir \ GITDIR
+.BI \-g \ GITDIR\fR,\fB \ \-\-gitdir \ GITDIR
Operate on this git tree instead of current dir
.TP
-.BI \-b \ BRANCH\fP,\fB \ \-\-branch \ BRANCH
+.BI \-b \ BRANCH\fR,\fB \ \-\-branch \ BRANCH
Check out FETCH_HEAD into this branch after fetching
.TP
.B \-c\fP,\fB \-\-check
@@ -234,7 +234,7 @@ Check if pull request has already been applied
.B \-e\fP,\fB \-\-explode
Convert a pull request into an mbox full of patches
.TP
-.BI \-o \ OUTMBOX\fP,\fB \ \-\-output\-mbox \ OUTMBOX
+.BI \-o \ OUTMBOX\fR,\fB \ \-\-output\-mbox \ OUTMBOX
Save exploded messages into this mailbox (default: msgid.mbx)
.UNINDENT
.UNINDENT
@@ -252,25 +252,25 @@ b4 ty [\-h] [\-g GITDIR] [\-o OUTDIR] [\-l] [\-s SEND [SEND ...]] [\-d DISCARD [
.B \-h\fP,\fB \-\-help
show this help message and exit
.TP
-.BI \-g \ GITDIR\fP,\fB \ \-\-gitdir \ GITDIR
+.BI \-g \ GITDIR\fR,\fB \ \-\-gitdir \ GITDIR
Operate on this git tree instead of current dir
.TP
-.BI \-o \ OUTDIR\fP,\fB \ \-\-outdir \ OUTDIR
+.BI \-o \ OUTDIR\fR,\fB \ \-\-outdir \ OUTDIR
Write thanks files into this dir (default=.)
.TP
.B \-l\fP,\fB \-\-list
List pull requests and patch series you have retrieved
.TP
-.BI \-s \ SEND\fP,\fB \ \-\-send \ SEND
+.BI \-s \ SEND\fR,\fB \ \-\-send \ SEND
Generate thankyous for specific entries from \-l (e.g.: 1,3\-5,7\-; or "all")
.TP
-.BI \-d \ DISCARD\fP,\fB \ \-\-discard \ DISCARD
+.BI \-d \ DISCARD\fR,\fB \ \-\-discard \ DISCARD
Discard specific messages from \-l (e.g.: 1,3\-5,7\-; or "all")
.TP
.B \-a\fP,\fB \-\-auto
Use the Auto\-Thankanator to figure out what got applied/merged
.TP
-.BI \-b \ BRANCH\fP,\fB \ \-\-branch \ BRANCH
+.BI \-b \ BRANCH\fR,\fB \ \-\-branch \ BRANCH
The branch to check against, instead of current
.TP
.BI \-\-since \ SINCE
@@ -296,10 +296,10 @@ optional arguments:
.B \-h\fP,\fB \-\-help
show this help message and exit
.TP
-.BI \-g \ GITDIR\fP,\fB \ \-\-gitdir \ GITDIR
+.BI \-g \ GITDIR\fR,\fB \ \-\-gitdir \ GITDIR
Operate on this git tree instead of current dir
.TP
-.BI \-p \ USEPROJECT\fP,\fB \ \-\-use\-project \ USEPROJECT
+.BI \-p \ USEPROJECT\fR,\fB \ \-\-use\-project \ USEPROJECT
Use a specific project instead of guessing (linux\-mm, linux\-hardening, etc)
.TP
.B \-C\fP,\fB \-\-no\-cache
@@ -315,7 +315,7 @@ Compare specific versions instead of latest and one before that, e.g. \-v 3 5
.B \-n\fP,\fB \-\-no\-diff
Do not generate a diff, just show the command to do it
.TP
-.BI \-o \ OUTDIFF\fP,\fB \ \-\-output\-diff \ OUTDIFF
+.BI \-o \ OUTDIFF\fR,\fB \ \-\-output\-diff \ OUTDIFF
Save diff into this file instead of outputting to stdout
.TP
.B \-c\fP,\fB \-\-color
@@ -334,7 +334,7 @@ Compare two mbx files prepared with "b4 am"
.sp
B4 configuration is handled via git\-config(1), so you can store it in
either the toplevel $HOME/.gitconfig file, or in a per\-repository
-.git/config file if your workflow changes per project.
+\&.git/config file if your workflow changes per project.
.sp
Default configuration, with explanations:
.INDENT 0.0
@@ -361,25 +361,13 @@ Default configuration, with explanations:
# check: print an attaboy when attestation is found
# softfail: print a warning when no attestation found
# hardfail: exit with an error when no attestation found
- attestation\-policy = check
+ attestation\-policy = softfail
#
- # Fall back to checking DKIM header if we don\(aqt find any other
- # attestations present?
+ # Perform DKIM attestation?
attestation\-check\-dkim = yes
#
- # "gpg" (whatever gpg is configured to do) or "tofu" to force TOFU mode
- # If you don\(aqt already have a carefully maintained web of trust setup, it is
- # strongly recommended to set this to "tofu"
- attestation\-trust\-model = gpg
- #
- # How strict should we be when comparing the email address in From to the
- # email addresses in the key\(aqs UIDs?
- # strict: must match one of the uids on the key to pass
- # loose: any valid and trusted key will be accepted
- attestation\-uid\-match = loose
- #
# When showing attestation check results, do you like "fancy" (color, unicode)
- # or simple checkmarks?
+ # or simple markers?
attestation\-checkmarks = fancy
#
# How long before we consider attestation to be too old?
@@ -412,7 +400,7 @@ Default configuration, with explanations:
.SH SUPPORT
.sp
Please email \fI\%tools@linux.kernel.org\fP with support requests,
-or browse the list archive at \fI\%https://linux.kernel.org/g/tools\fP\&.
+or browse the list archive at \fI\%https://lore.kernel.org/tools\fP\&.
.SH AUTHOR
mricon@kernel.org
diff --git a/man/b4.5.rst b/man/b4.5.rst
index ee05675..583d6cc 100644
--- a/man/b4.5.rst
+++ b/man/b4.5.rst
@@ -232,25 +232,13 @@ Default configuration, with explanations::
# check: print an attaboy when attestation is found
# softfail: print a warning when no attestation found
# hardfail: exit with an error when no attestation found
- attestation-policy = check
+ attestation-policy = softfail
#
- # Fall back to checking DKIM header if we don't find any other
- # attestations present?
+ # Perform DKIM attestation?
attestation-check-dkim = yes
#
- # "gpg" (whatever gpg is configured to do) or "tofu" to force TOFU mode
- # If you don't already have a carefully maintained web of trust setup, it is
- # strongly recommended to set this to "tofu"
- attestation-trust-model = gpg
- #
- # How strict should we be when comparing the email address in From to the
- # email addresses in the key's UIDs?
- # strict: must match one of the uids on the key to pass
- # loose: any valid and trusted key will be accepted
- attestation-uid-match = loose
- #
# When showing attestation check results, do you like "fancy" (color, unicode)
- # or simple checkmarks?
+ # or simple markers?
attestation-checkmarks = fancy
#
# How long before we consider attestation to be too old?
@@ -281,4 +269,4 @@ Default configuration, with explanations::
SUPPORT
-------
Please email tools@linux.kernel.org with support requests,
-or browse the list archive at https://linux.kernel.org/g/tools.
+or browse the list archive at https://lore.kernel.org/tools.