diff options
-rw-r--r-- | b4/__init__.py | 25 | ||||
-rw-r--r-- | man/b4.5 | 68 | ||||
-rw-r--r-- | man/b4.5.rst | 20 |
3 files changed, 46 insertions, 67 deletions
diff --git a/b4/__init__.py b/b4/__init__.py index b757780..7d689a0 100644 --- a/b4/__init__.py +++ b/b4/__init__.py @@ -97,12 +97,7 @@ DEFAULT_CONFIG = { # check: print an attaboy when attestation is found # softfail: print a warning when no attestation found # hardfail: exit with an error when no attestation found - 'attestation-policy': 'check', - # "gpg" (whatever gpg is configured to do) or "tofu" to force tofu mode - 'attestation-trust-model': 'gpg', - # strict: must match one of the uids on the key to pass - # loose: any valid and trusted key will be accepted - 'attestation-uid-match': 'loose', + 'attestation-policy': 'softfail', # How many days before we consider attestation too old? 'attestation-staleness-days': '30', # Should we check DKIM signatures if we don't find any other attestation? @@ -499,6 +494,11 @@ class LoreSeries: addmysob = False attpolicy = config['attestation-policy'] + try: + maxdays = int(config['attestation-staleness-days']) + except ValueError: + logger.info('WARNING: attestation-staleness-days must be an int') + maxdays = 0 # Loop through all patches and see if attestation is the same for all of them, # since it usually is @@ -513,7 +513,7 @@ class LoreSeries: attsame = False break - checkmark, trailers, attcrit = lmsg.get_attestation_trailers(attpolicy) + checkmark, trailers, attcrit = lmsg.get_attestation_trailers(attpolicy, maxdays) if attref is None: attref = trailers attmark = checkmark @@ -551,7 +551,7 @@ class LoreSeries: logger.info(' %s', lmsg.full_subject) else: - checkmark, trailers, critical = lmsg.get_attestation_trailers(attpolicy) + checkmark, trailers, critical = lmsg.get_attestation_trailers(attpolicy, maxdays) logger.info(' %s %s', checkmark, lmsg.full_subject) for trailer in trailers: logger.info(' %s', trailer) @@ -1022,11 +1022,14 @@ class LoreMessage: attestor = LoreAttestorPatatt(passing, identity, signtime, keysrc, keyalgo, errors) self._attestors.append(attestor) - def get_attestation_trailers(self, attpolicy: str) -> Tuple[str, list, bool]: + def get_attestation_trailers(self, attpolicy: str, maxdays: int = 0) -> Tuple[str, list, bool]: trailers = list() checkmark = None critical = False for attestor in self.attestors: + if maxdays and not attestor.check_time_drift(self.date, maxdays): + logger.debug('The time drift is too much, marking as non-passing') + attestor.passing = False if not attestor.passing: # Is it a person-trailer for which we have a key? if attestor.level == 'person': @@ -1540,12 +1543,12 @@ class LoreAttestor: return '%s/%s' % (mode, self.identity) - def check_time_drift(self, emldate, maxdays: int = 7) -> bool: + def check_time_drift(self, emldate, maxdays: int = 30) -> bool: if not self.passing or self.signtime is None: return False try: - sigdate = datetime.datetime.utcfromtimestamp(int(self.signtime)) + sigdate = datetime.datetime.utcfromtimestamp(int(self.signtime)).replace(tzinfo=datetime.timezone.utc) except: # noqa self.errors.append('failed parsing signature date: %s' % self.signtime) return False @@ -85,19 +85,19 @@ msgid Message ID to process, or pipe a raw message .B \-h\fP,\fB \-\-help show this help message and exit .TP -.BI \-o \ OUTDIR\fP,\fB \ \-\-outdir \ OUTDIR +.BI \-o \ OUTDIR\fR,\fB \ \-\-outdir \ OUTDIR Output into this directory (or use \- to output mailbox contents to stdout) .TP -.BI \-p \ USEPROJECT\fP,\fB \ \-\-use\-project \ USEPROJECT +.BI \-p \ USEPROJECT\fR,\fB \ \-\-use\-project \ USEPROJECT Use a specific project instead of guessing (linux\-mm, linux\-hardening, etc) .TP .B \-c\fP,\fB \-\-check\-newer\-revisions Check if newer patch revisions exist .TP -.BI \-n \ WANTNAME\fP,\fB \ \-\-mbox\-name \ WANTNAME +.BI \-n \ WANTNAME\fR,\fB \ \-\-mbox\-name \ WANTNAME Filename to name the mbox file .TP -.BI \-m \ LOCALMBOX\fP,\fB \ \-\-use\-local\-mbox \ LOCALMBOX +.BI \-m \ LOCALMBOX\fR,\fB \ \-\-use\-local\-mbox \ LOCALMBOX Instead of grabbing a thread from lore, process this mbox file .TP .B \-C\fP,\fB \-\-no\-cache @@ -124,25 +124,25 @@ msgid Message ID to process, or pipe a raw message .B \-h\fP,\fB \-\-help show this help message and exit .TP -.BI \-o \ OUTDIR\fP,\fB \ \-\-outdir \ OUTDIR +.BI \-o \ OUTDIR\fR,\fB \ \-\-outdir \ OUTDIR Output into this directory (or use \- to output mailbox contents to stdout) .TP -.BI \-p \ USEPROJECT\fP,\fB \ \-\-use\-project \ USEPROJECT +.BI \-p \ USEPROJECT\fR,\fB \ \-\-use\-project \ USEPROJECT Use a specific project instead of guessing (linux\-mm, linux\-hardening, etc) .TP .B \-c\fP,\fB \-\-check\-newer\-revisions Check if newer patch revisions exist .TP -.BI \-n \ WANTNAME\fP,\fB \ \-\-mbox\-name \ WANTNAME +.BI \-n \ WANTNAME\fR,\fB \ \-\-mbox\-name \ WANTNAME Filename to name the mbox file .TP -.BI \-m \ LOCALMBOX\fP,\fB \ \-\-use\-local\-mbox \ LOCALMBOX +.BI \-m \ LOCALMBOX\fR,\fB \ \-\-use\-local\-mbox \ LOCALMBOX Instead of grabbing a thread from lore, process this mbox file .TP .B \-C\fP,\fB \-\-no\-cache Do not use local cache .TP -.BI \-v \ WANTVER\fP,\fB \ \-\-use\-version \ WANTVER +.BI \-v \ WANTVER\fR,\fB \ \-\-use\-version \ WANTVER Get a specific version of the patch/series .TP .B \-t\fP,\fB \-\-apply\-cover\-trailers @@ -163,7 +163,7 @@ Add a lore.kernel.org/r/ link to every patch .B \-Q\fP,\fB \-\-quilt\-ready Save mbox patches in a quilt\-ready folder .TP -.BI \-P \ CHERRYPICK\fP,\fB \ \-\-cherry\-pick \ CHERRYPICK +.BI \-P \ CHERRYPICK\fR,\fB \ \-\-cherry\-pick \ CHERRYPICK Cherry\-pick a subset of patches (e.g. "\-P 1\-2,4,6\-", "\-P _" to use just the msgid specified, or "\-P *globbing*" to match on commit subject) .TP .B \-g\fP,\fB \-\-guess\-base @@ -195,13 +195,13 @@ patchfile Patches to attest .B \-h\fP,\fB \-\-help show this help message and exit .TP -.BI \-f \ SENDER\fP,\fB \ \-\-from \ SENDER +.BI \-f \ SENDER\fR,\fB \ \-\-from \ SENDER OBSOLETE: this option does nothing and will be removed .TP .B \-n\fP,\fB \-\-no\-submit OBSOLETE: this option does nothing and will be removed .TP -.BI \-o \ OUTPUT\fP,\fB \ \-\-output \ OUTPUT +.BI \-o \ OUTPUT\fR,\fB \ \-\-output \ OUTPUT OBSOLETE: this option does nothing and will be removed .UNINDENT .UNINDENT @@ -222,10 +222,10 @@ msgid Message ID to process, or pipe a raw message .B \-h\fP,\fB \-\-help show this help message and exit .TP -.BI \-g \ GITDIR\fP,\fB \ \-\-gitdir \ GITDIR +.BI \-g \ GITDIR\fR,\fB \ \-\-gitdir \ GITDIR Operate on this git tree instead of current dir .TP -.BI \-b \ BRANCH\fP,\fB \ \-\-branch \ BRANCH +.BI \-b \ BRANCH\fR,\fB \ \-\-branch \ BRANCH Check out FETCH_HEAD into this branch after fetching .TP .B \-c\fP,\fB \-\-check @@ -234,7 +234,7 @@ Check if pull request has already been applied .B \-e\fP,\fB \-\-explode Convert a pull request into an mbox full of patches .TP -.BI \-o \ OUTMBOX\fP,\fB \ \-\-output\-mbox \ OUTMBOX +.BI \-o \ OUTMBOX\fR,\fB \ \-\-output\-mbox \ OUTMBOX Save exploded messages into this mailbox (default: msgid.mbx) .UNINDENT .UNINDENT @@ -252,25 +252,25 @@ b4 ty [\-h] [\-g GITDIR] [\-o OUTDIR] [\-l] [\-s SEND [SEND ...]] [\-d DISCARD [ .B \-h\fP,\fB \-\-help show this help message and exit .TP -.BI \-g \ GITDIR\fP,\fB \ \-\-gitdir \ GITDIR +.BI \-g \ GITDIR\fR,\fB \ \-\-gitdir \ GITDIR Operate on this git tree instead of current dir .TP -.BI \-o \ OUTDIR\fP,\fB \ \-\-outdir \ OUTDIR +.BI \-o \ OUTDIR\fR,\fB \ \-\-outdir \ OUTDIR Write thanks files into this dir (default=.) .TP .B \-l\fP,\fB \-\-list List pull requests and patch series you have retrieved .TP -.BI \-s \ SEND\fP,\fB \ \-\-send \ SEND +.BI \-s \ SEND\fR,\fB \ \-\-send \ SEND Generate thankyous for specific entries from \-l (e.g.: 1,3\-5,7\-; or "all") .TP -.BI \-d \ DISCARD\fP,\fB \ \-\-discard \ DISCARD +.BI \-d \ DISCARD\fR,\fB \ \-\-discard \ DISCARD Discard specific messages from \-l (e.g.: 1,3\-5,7\-; or "all") .TP .B \-a\fP,\fB \-\-auto Use the Auto\-Thankanator to figure out what got applied/merged .TP -.BI \-b \ BRANCH\fP,\fB \ \-\-branch \ BRANCH +.BI \-b \ BRANCH\fR,\fB \ \-\-branch \ BRANCH The branch to check against, instead of current .TP .BI \-\-since \ SINCE @@ -296,10 +296,10 @@ optional arguments: .B \-h\fP,\fB \-\-help show this help message and exit .TP -.BI \-g \ GITDIR\fP,\fB \ \-\-gitdir \ GITDIR +.BI \-g \ GITDIR\fR,\fB \ \-\-gitdir \ GITDIR Operate on this git tree instead of current dir .TP -.BI \-p \ USEPROJECT\fP,\fB \ \-\-use\-project \ USEPROJECT +.BI \-p \ USEPROJECT\fR,\fB \ \-\-use\-project \ USEPROJECT Use a specific project instead of guessing (linux\-mm, linux\-hardening, etc) .TP .B \-C\fP,\fB \-\-no\-cache @@ -315,7 +315,7 @@ Compare specific versions instead of latest and one before that, e.g. \-v 3 5 .B \-n\fP,\fB \-\-no\-diff Do not generate a diff, just show the command to do it .TP -.BI \-o \ OUTDIFF\fP,\fB \ \-\-output\-diff \ OUTDIFF +.BI \-o \ OUTDIFF\fR,\fB \ \-\-output\-diff \ OUTDIFF Save diff into this file instead of outputting to stdout .TP .B \-c\fP,\fB \-\-color @@ -334,7 +334,7 @@ Compare two mbx files prepared with "b4 am" .sp B4 configuration is handled via git\-config(1), so you can store it in either the toplevel $HOME/.gitconfig file, or in a per\-repository -.git/config file if your workflow changes per project. +\&.git/config file if your workflow changes per project. .sp Default configuration, with explanations: .INDENT 0.0 @@ -361,25 +361,13 @@ Default configuration, with explanations: # check: print an attaboy when attestation is found # softfail: print a warning when no attestation found # hardfail: exit with an error when no attestation found - attestation\-policy = check + attestation\-policy = softfail # - # Fall back to checking DKIM header if we don\(aqt find any other - # attestations present? + # Perform DKIM attestation? attestation\-check\-dkim = yes # - # "gpg" (whatever gpg is configured to do) or "tofu" to force TOFU mode - # If you don\(aqt already have a carefully maintained web of trust setup, it is - # strongly recommended to set this to "tofu" - attestation\-trust\-model = gpg - # - # How strict should we be when comparing the email address in From to the - # email addresses in the key\(aqs UIDs? - # strict: must match one of the uids on the key to pass - # loose: any valid and trusted key will be accepted - attestation\-uid\-match = loose - # # When showing attestation check results, do you like "fancy" (color, unicode) - # or simple checkmarks? + # or simple markers? attestation\-checkmarks = fancy # # How long before we consider attestation to be too old? @@ -412,7 +400,7 @@ Default configuration, with explanations: .SH SUPPORT .sp Please email \fI\%tools@linux.kernel.org\fP with support requests, -or browse the list archive at \fI\%https://linux.kernel.org/g/tools\fP\&. +or browse the list archive at \fI\%https://lore.kernel.org/tools\fP\&. .SH AUTHOR mricon@kernel.org diff --git a/man/b4.5.rst b/man/b4.5.rst index ee05675..583d6cc 100644 --- a/man/b4.5.rst +++ b/man/b4.5.rst @@ -232,25 +232,13 @@ Default configuration, with explanations:: # check: print an attaboy when attestation is found # softfail: print a warning when no attestation found # hardfail: exit with an error when no attestation found - attestation-policy = check + attestation-policy = softfail # - # Fall back to checking DKIM header if we don't find any other - # attestations present? + # Perform DKIM attestation? attestation-check-dkim = yes # - # "gpg" (whatever gpg is configured to do) or "tofu" to force TOFU mode - # If you don't already have a carefully maintained web of trust setup, it is - # strongly recommended to set this to "tofu" - attestation-trust-model = gpg - # - # How strict should we be when comparing the email address in From to the - # email addresses in the key's UIDs? - # strict: must match one of the uids on the key to pass - # loose: any valid and trusted key will be accepted - attestation-uid-match = loose - # # When showing attestation check results, do you like "fancy" (color, unicode) - # or simple checkmarks? + # or simple markers? attestation-checkmarks = fancy # # How long before we consider attestation to be too old? @@ -281,4 +269,4 @@ Default configuration, with explanations:: SUPPORT ------- Please email tools@linux.kernel.org with support requests, -or browse the list archive at https://linux.kernel.org/g/tools. +or browse the list archive at https://lore.kernel.org/tools. |