| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
This file was never truly necessary and has never actually been used in
the history of Tailscale's open source releases.
A Brief History of AUTHORS files
---
The AUTHORS file was a pattern developed at Google, originally for
Chromium, then adopted by Go and a bunch of other projects. The problem
was that Chromium originally had a copyright line only recognizing
Google as the copyright holder. Because Google (and most open source
projects) do not require copyright assignemnt for contributions, each
contributor maintains their copyright. Some large corporate contributors
then tried to add their own name to the copyright line in the LICENSE
file or in file headers. This quickly becomes unwieldy, and puts a
tremendous burden on anyone building on top of Chromium, since the
license requires that they keep all copyright lines intact.
The compromise was to create an AUTHORS file that would list all of the
copyright holders. The LICENSE file and source file headers would then
include that list by reference, listing the copyright holder as "The
Chromium Authors".
This also become cumbersome to simply keep the file up to date with a
high rate of new contributors. Plus it's not always obvious who the
copyright holder is. Sometimes it is the individual making the
contribution, but many times it may be their employer. There is no way
for the proejct maintainer to know.
Eventually, Google changed their policy to no longer recommend trying to
keep the AUTHORS file up to date proactively, and instead to only add to
it when requested: https://opensource.google/docs/releasing/authors.
They are also clear that:
> Adding contributors to the AUTHORS file is entirely within the
> project's discretion and has no implications for copyright ownership.
It was primarily added to appease a small number of large contributors
that insisted that they be recognized as copyright holders (which was
entirely their right to do). But it's not truly necessary, and not even
the most accurate way of identifying contributors and/or copyright
holders.
In practice, we've never added anyone to our AUTHORS file. It only lists
Tailscale, so it's not really serving any purpose. It also causes
confusion because Tailscalars put the "Tailscale Inc & AUTHORS" header
in other open source repos which don't actually have an AUTHORS file, so
it's ambiguous what that means.
Instead, we just acknowledge that the contributors to Tailscale (whoever
they are) are copyright holders for their individual contributions. We
also have the benefit of using the DCO (developercertificate.org) which
provides some additional certification of their right to make the
contribution.
The source file changes were purely mechanical with:
git ls-files | xargs sed -i -e 's/\(Tailscale Inc &\) AUTHORS/\1 contributors/g'
Updates #cleanup
Change-Id: Ia101a4a3005adb9118051b3416f5a64a4a45987d
Signed-off-by: Will Norris <will@tailscale.com>
|
|
Allow builds to be outputted to a specific directory.
By default, or if unset, artifacts are written to PWD/dist.
Updates tailscale/corp#27638
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
|
|
Run `staticcheck` with `U1000` to find unused code. This cleans up about
a half of it. I'll do the other half separately to keep PRs manageable.
Updates #cleanup
Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
|
|
Helper command to verify package signatures, mainly for debugging.
Also fix a copy-paste mistake in error message in distsign.
Updates #8760
Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
|
|
Add `dist.Signer` hook which can arbitrarily sign linux/synology
artifacts. Plumb it through in `cmd/dist` and remove existing tarball
signing key. Distsign signing will happen on a remote machine, not using
a local key.
Updates #755
Updates #8760
Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
|
|
Now we have all the commands to generate the key hierarchy and verify
that signing keys were signed correctly:
```
$ ./tool/go run ./cmd/dist gen-key --priv-path root-priv.pem --pub-path root-pub.pem --root
wrote private key to root-priv.pem
wrote public key to root-pub.pem
$ ./tool/go run ./cmd/dist gen-key --priv-path signing-priv.pem --pub-path signing-pub.pem --signing
wrote private key to signing-priv.pem
wrote public key to signing-pub.pem
$ ./tool/go run ./cmd/dist sign-key --root-priv-path root-priv.pem --sign-pub-path signing-pub.pem
wrote signature to signature.bin
$ ./tool/go run ./cmd/dist verify-key-signature --root-pub-path root-pub.pem --sign-pub-path signing-pub.pem --sig-path signature.bin
signature ok
```
Updates #8760
Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
|
|
To make key management less error-prone, use different PEM block types
for root and signing keys. As a result, separate out most of the Go code
between root/signing keys too.
Updates #8760
Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
|
|
Add a new subcommand to generate a Ed25519 key pair for release signing.
The same command can be used to generate both root and signing keys.
Updates #8760
Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
|
|
This builds the assets for the new web client as part of our release
process. The path to the web client source is specified by the
-web-client-root flag. This allows corp builds to first vendor the
tailscale.com module, and then build the web client assets in the vendor
directory.
The default value for the -web-client-root flag is empty, so no assets
are built by default.
This is an update of the previously reverted 0fb95ec
Updates tailscale/corp#13775
Signed-off-by: Will Norris <will@tailscale.com>
|
|
Plumb a signing callback function to `unixpkgs.rpmTarget` to allow
signing RPMs. This callback is optional and RPMs will build unsigned if
not set, just as before.
Updates https://github.com/tailscale/tailscale/issues/1882
Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
|
|
Pass an optional PEM-encoded ECDSA key to `cmd/dist` to sign all built
tarballs. The signature is stored next to the tarball with a `.sig`
extension.
Tested this with an `openssl`-generated key pair and verified the
resulting signature.
Updates #8760
Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
|
|
Some builders return absolute paths to build products already. When that
happens, the manifest writing logic shouldn't tack on another absolute
prefix.
Signed-off-by: David Anderson <danderson@tailscale.com>
|
|
By default, cmd/dist only prints the output of failed commands.
With this, you can turn all the noisy output back on.
Updates tailscale/corp#9045
Signed-off-by: David Anderson <danderson@tailscale.com>
|
|
Signed-off-by: David Anderson <danderson@tailscale.com>
|
|
Signed-off-by: David Anderson <danderson@tailscale.com>
|
|
Signed-off-by: David Anderson <danderson@tailscale.com>
|
