New Contributor Process

Code changes must done with great caution, since ill-considered changes might unintentionally compromise the software's security.

While not strictly necessarily, we strongly recommend all CipherShed code contributors join the developers' mailing list and forums for posting and keeping updated with CipherShed development issues.

We currently use GitHub for managing changes to the codebase. If you are unfamiliar with Git or GitHub, there are many tutorials and explanations on the GitHub website and the Internet. Feel free to also ask us; let us help you help us! :-)

Contributing Code

To get started on contributing code to the CipherShed project, simply follow these steps:

  1. Fork the project on GitHub to your own account.

  2. Clone the repository to your local machine from your own account's fork.
  3. Code away! Make a branch (or several) if you so desire. Commit to your fork.
  4. When finished, submit a pull request through GitHub. The pull request will allow comments and display a changelog for us to review.

  5. The team will review your changes and respond to you. You can make further commits to the same branch and they will automatically be included in the pull request.

If you have questions about the status of your pull request which have not been answered on Github, please send an email to the devs list.

Each modification of code must be well-documented. Changes to the master repository must sent as a pull request through GitHub. Pull requests won't be approved immediately (expect at least a week) to allow time for our security team to review it. This review process verifies that:

General Notes

Management of the Git Repository

The contributors managing the git repository on Github generally follow Nvie's model for branching and merging in git. Please read this if you want to understand our model. Only how we differ from this model is documented here.

Three Types of Contributors

The heart of our security model is careful code review. To aid this process, there are three different "types" of developers, who assume different roles in this review process.

  1. We have a "Security Team" of four people, in three different countries, who carefully review all changes between releases. Only ST members are allowed to edit the "master" branch, or the "review" branch. All changes in all releases are reviewed by at least 3 ST members.
  2. "Official" ChiperShed developers are the contributors listed on our Github CipherShed/CipherShed project and who are members in our Redmine issue tracking system. In general, they are developers from the community who have made substantial contributions. They are expected to understand our development methodologies, and help create and update them over time. They may create feature and release branches, develop code, commit changes, and merge between branches. However, unless they are also ST members, they may not modify "master" or "review". They may respond to pull requests from the wider CipherShed community of unofficial developers. They are expected to review pull requests for conformance with our methodologies, and merge changes into the appropriate branch.

  3. The third type are "new" developers, who can be anyone who would like to contribute code to CipherShed. The process for this is to fork our CipherShed repository on Github, commit your changes to that branch, and then submit a pull request to the "develop" branch (see below for details on the branches).

Becomming an "official" member is easy. Simply write code, and become a valuable contributor. We currently have over 100,000 lines of code to rewrite, and if you feel you can aid in that effort, please join the community!

Branch Naming Convention

We deviate slightly from Nvie's model in how we name branches. Our branches are:

Signing Commits

All merges into develop (or a future release develop-XXX branch) must be signed by the contributor doing the merge. However, individual commits in a feature branch do not have to be signed. When signing a merge, a contributor confirms that she has carefully reviewed all changes in her commit.

All future commits to the "master" and "review" branches have to be be digitally signed by an ST member.

CipherShed Wiki: DevelopmentProcess (last edited 2014-08-24 15:47:58 by c-67-163-246-121)