Mitchell Baker: Guest Post: Increasing the Level of Participation in the Hiring Process |
This is a guest blog post from Jane Finette, Executive Program Manager, who works closely with me in Office of the Chair.
In a recent blog post Mitchell described why she has been eager to see the hiring process at Mozilla have a larger focus on cross-functional participation, particularly for senior leaders whom we expect to represent a broad swath of Mozilla. Enabling wider participation in how we hire for leadership has been our starting point. She notes we began organizing panel discussions for a broader set of people to talk to the candidate some time ago.
The need to hire for a new senior role, Vice President of Marketing Communications, presented an opportunity to further explore this new type of approach. Jascha Kaykas-Wolff, our CMO and the hiring manager for this role, and I sat down to plan and document some further experiments with the hiring process for this role. Our goal from the start was to explore two outcomes: an increased participation within the organization and the simultaneous creation of a meaningful process for candidates to evaluate us.
Enabling participation in the hiring process for the VP of MarComm position was particularly crucial because this person has a role that represents and communicates publicly about a broad swath of Mozilla. The VP of MarComms oversees the global communications, social media, user support and content marketing teams and works across the organization to develop impactful outbound communications for Mozilla and Firefox products.
What was the process?
Jascha and I designed the interview process right at the start with participation as one of the key objectives. Together we identified interviewers as peers, direct reports, expertise leaders and others who were not from the group where the candidate would work; in this case Marketing. We identified cross functional areas the hire would interact with on a regular and a geographic basis, these were people who might not otherwise have been part of the interview process.
Here is an overview of the process we devised:
1st round: Peers (no direct reports).
Purpose: Interviewing for values match, strong competency in area of expertise.
2nd round: Directs report + leaders in area of expertise, including cross-functional areas.
Purpose: Interviewing for leadership attributes, values match, competency in area of expertise.
3rd round: Panel – including moderator and panel members who were not part of the group where the candidate would work. Panel was a maximum of 7 people.
Purpose: Validate values match. Give insights into broader organizational dynamics.
4th round: Case study including peers + directs reports and a small selection of members of the panel. Maximum of 12 people.
Purpose: Place for the person to demonstrate their expertise and shine, and experience a typical environment.
5th round: CEO and Chairwoman
Purpose: Validate values match, leadership and skills where appropriate.
We conducted well over 50 screenings and entered 8 very well qualified candidates into our process. The process took approximately four months to complete, approximately the same amount of time required for an executive level hire.
What have we learned so far?
The hiring process for the VP of MarComm is now complete. Alex Salkever, joined Mozilla as our Vice President of Marketing Communications on May 18, 2016.
We have a hypothesis that increasing the level of diversity and participation will lead to stronger hires at Mozilla. We are continuing the pilot to explore this further.
(1) In our opinion interviews are both for the organization and the candidate
(2) Participatory hiring process in senior levels is our starting point
(3) Defining what success looks like helps identify who should participate in the hiring process
(4) Add more people early on
Gotchas:
Often a standard type of interview process is designed for the company, rather than the individual being interviewed. The standard process is intended to maximize assessment in a core area of expertise, whereby candidates are evaluated by their manager, peers and direct reports in their domain only. This creates an unhealthy power balance and exposes a set of addressable biases in the process such as ones based on cultural fit, and skills gap perspectives from other areas of the company.
What’s next?
We will continue to explore, record results and share further findings. We have now begun another participatory hiring experiment at the ‘director’ level role. It’s an interesting question what piece of evidence would conclusively prove cross-functional and cross-level participation in hiring leadership brings benefits to an organization. We’ll continue to experiment.
|
|
Kat Braybrooke: With love from Barcelona: A year of PhD making, thinking + fun. |
A little while ago, I wrote my first public Medium post 6 months into my PhD at the University of Sussex, describing the experience of taking a crazy leap of faith, moving from Vancouver to London and leaving a full-time job in tech to do so. A whirlwind year later, I now find myself past my first doctoral upgrade as a somewhat official-feeling PhD candidate, many amazing conversations, eureka moments and unexpected travels(!) later. So, without further ado, here is a new piece on Medium about that first year. My hope is that posts like this will give others the extra encouragement they may need to take the plunge and dive into the research they’re passionate about. I know it helped me a great deal when I was considering my next move.
And in a word, it’s all been amazing. Highlights have included seeing Bruno Latour discuss his thoughts on gaia (and blow out a birthday cake!) after presenting a paper at this year’s Society for the History of Technology meeting in Singapore, where the ever-inspiring Sally Jane Norman and I also organized a digital artifact workshop in this glorious psychedelic rainbow room at the city’s new ArtScience Museum, heading to Santa Cruz with Sussex Humanities Lab colleagues for this digital media exchange to play with Arduinos while meeting a group of talented art/tech practitioners there, and generally getting to hang out back in the UK with fascinating humans (and libraries!) in Brighton, Oxford and London while learning everything I could about theories of spatiality, making and community.
I’m writing this today from beautiful, sunny Barcelona, where I’ve been lucky enough to attend this year’s excellent 4S/EASST “Science and Technology By Other Means” conference on scholarship from EASST and the Sussex Digital Humanities Lab. In addition to being a discussant about “careers by other means” at its Doctoral Day, I also presented a paper I’ve submitted to Digital Culture & Society with Tim Jordan which critically examines key technomyths about the maker movement as part of an excellent panel convened by Adrian Smith, Maxigas and other great thinkers in this space entitled “Digital Fabrications Amongst Hackers, Makers and Manufacturers: Whose Industrial Revolution?”.
While presenting to a packed room of STS scholars was one of the more intimidating(!) moments of my academic career so far, the resulting discussion and ideas I received from such an engaged (and thoughtful!) audience made all the stress 100% worth it. I’m very grateful to everyone who came to listen and provide advice. Moments like these, where you get to share your research with the makers, hackers and thinkers who have helped inspire it the first place, are especially wonderful ones. Here’s to more beautiful memories in the sun (and studio) for all of us!
|
|
Daniel Pocock: Arrival at FSFE Summit and QtCon 2016, Berlin |
The FSFE Summit and QtCon 2016 are getting under way at bcc, Berlin. The event comprises a range of communities, including KDE and VideoLAN and there are also a wide range of people present who are active in other projects, including Debian, Mozilla, GSoC and many more.
Today, some time between 17:30 and 18:30 I'll be giving a lightning talk about Postbooks, a Qt and PostgreSQL based free software solution for accounting and ERP. For more details about how free, open source software can make your life easier by helping keep track of your money, see my comparison of free, open source accounting software.
Saturday, at 15:00 I'll give a talk about Free Communications with Free Software. We'll look at some exciting new developments in this area and once again, contemplate the question can we hope to use completely free and private software to communicate with our friends and families this Christmas? (apologies to those who don't celebrate Christmas, the security of your communications is just as important too).
There is an entry fee for the QtCon event, however, people attending the FSFE Summit are invited to attend by making a donation. Contact FSFE for more details and consider joining the FSFE Fellowship.
https://danielpocock.com/arrival-at-fsfe-summit-and-qtcon-2016-berlin
|
|
Mozilla Addons Blog: September 2016 Featured Add-ons |
by Geoffrey De Belie
Open, copy, and bookmark multiple links at the same time. No need to handle them individually anymore!
“Perfect, can’t live without it
https://blog.mozilla.org/addons/2016/09/01/september-2016-featured-add-ons/
|
|
Mozilla Addons Blog: Add-on Compatibility for Firefox 50 |
Firefox 50 will be released on November 8th. Here’s the list of changes that went into this version that can affect add-on compatibility. There is more information available in Firefox 50 for Developers, so you should also give it a look.
box-sizing: padding-box.multiprocessCompatible. The multiprocessCompatible flag in the manifest disables all cross-process shims, ensuring the add-on works completely in e10s mode. This bug closes a loophole in this restriction. If you’re unfamiliar with e10s compatibility, please give this a read.draggesture and dragdrop events. Their standard equivalents should be used: dragstart and drop.nsIClientAuthDialogs::ChooseCertificate should pass an nsIArray of nsIX509Certs, not strings. This change removes the CERT_USAGE_* constants in nsIX509Cert, used by some add-ons.nsIX509Cert.getUsagesArray, requestUsagesArrayAsync, and getUsagesString.Let me know in the comments if there’s anything missing or incorrect on these lists. If your add-on breaks on Firefox 50, I’d like to know.
The automatic compatibility validation and upgrade for add-ons on AMO will happen in a few weeks, so keep an eye on your email if you have an add-on listed on our site with its compatibility set to Firefox 49.
https://blog.mozilla.org/addons/2016/09/01/compatibility-for-firefox-50/
|
|
Michael Kaply: Upcoming Changes to Root Certificates in Firefox on Windows |
For organizations interested in supporting Firefox on Windows in a managed environment, a longstanding hurdle has been that Firefox does not use the underlying platform’s certificate database when verifying TLS web server certificates. As an organization, having a separate transparent and open certificate authority program furthers Mozilla’s goal of fostering the open web. However, for users in managed environments attempting to connect to services that use non-public certificate hierarchies, this often results in a sub-optimal experience where Firefox will not connect while other browsers will.
To address this shortcoming, we have been developing an optional feature that, when enabled, will search the Windows certificate trust store for certificate authorities that have been added by the user or an administrator. If Firefox encounters any such CAs that are trusted to issue TLS web server certificates, it will incorporate those CAs into its own path building logic. When verifying a server certificate, if Firefox can find a path to one of those imported roots, the connection will succeed.
This feature is available in Firefox 49 and up (currently in beta). To give it a try, set the preference security.enterprise_roots.enabled to true. After that, Firefox should connect successfully to sites using certificates issued by 3rd party root certificates that have been added to the Windows trust database. Note that currently these root certificates will not appear in Firefox’s certificate manager as they are intended to be managed from the interfaces provided by Windows itself. This may change in the future.
But wait – there’s more! Using the same infrastructure, we have developed a similar feature to handle the case where Firefox is being used on an account that is being monitored by the Microsoft Family Safety functionality in Windows 8.1. For background information, this involves a local intercepting proxy that can log and/or block web traffic to and from an account. A similar feature existed briefly in Windows 10 but was reconfigured to only affect Edge. Starting with version 50, instead of showing the untrusted connection error page Firefox should “just work”.
These features are still in the early stages, so if you encounter any unexpected behavior, please feel free to file a bug.
This has been a guest post from David Keeler, Mozilla Engineer.
https://mike.kaply.com/2016/09/01/upcoming-changes-to-root-certificates-in-firefox-on-windows/
|
|
Air Mozilla: Intern Presentations, 01 Sep 2016 |
Group 6 of the Interns this summer will be presenting what they worked on. Jimmy Wang- TOR Edouard Oger- SF Ryan Hunt- MV Sam Wood-...
|
|
Support.Mozilla.Org: What’s Up with SUMO – 1st September |
Hello, SUMO Nation!
Hard to believe, but the year has entered its ninth month already. So, do you still have trouble writing “2016” instead of “2015”? ;-) Quite a few updates coming your way, so let’s get started before it gets too cold!
If you just joined us, don’t hesitate – come over and say “hi” in the forums!
We salute you!
…and that’s it for today! We hope you enjoyed this portion of the latest updates from the world of SUMO. See you around – keep rocking the helpful web! And stay safe!
P.S. Hey, are you following us on Twitter? There’s almost a thousand of you there! :-)
https://blog.mozilla.org/sumo/2016/09/01/whats-up-with-sumo-1st-september/
|
|
Air Mozilla: Being Human in a Data-Filled World with Genevieve Bell of Intel |
In May, Kevin Kelly shared the possibilities that technology will offer us over the next 30 years. But innovation unchecked can pose serious challenges to...
https://air.mozilla.org/being-human-in-a-data-filled-world-with-genevieve-bell-of-intel/
|
|
Cameron Kaiser: Talos moves to CrowdSupply |
http://tenfourfox.blogspot.com/2016/09/talos-moves-to-crowdsupply.html
|
|
Dustin J. Mitchell: Adapting Users to Our Interfaces |
The microwave in my kitchen has a timer on it, which I use when making coffee: TIMER-4-0-0-START. When the time expires, it beeps incessantly at me. The natural reaction from decades of operating microwaves is to hit CANCEL at this point to get the beeping to start.
However, this doesn’t work. In fact, the designers of the microwave (GE, though probably not here in Schenectady) must have known this, perhaps through user research. When I hit CANCEL, the LED display scrolls a message: PRESS TIMER.
Stop and think about that for a minute. The engineers got feedback that users were hitting CANCEL to stop a beeping timer, and their reaction was to waste precious RAM and programmer time to educate the user about which button to use. Undoubtedly, this was more work than the other option: canceling a beeping timer when the user presses CANCEL.
Lots of software seems to suffer from the same error. For example, Mercurial often has several ways to achieve the same goal, but only one is “blessed” by the designers. When I use the wrong command, Mercurial helpfully tells me what I should have typed, presumably hoping that by the repetition of typing this I will eventually learn not to be so stupid.
In this case, I have used hg add to add a file which I later refactored out of existence:
$ hg rm somefile.js
not removing somefile.js: file has been marked for add (use forget to undo)
The message isn’t even clear! I don’t want to “undo” something – I want to remove a file. I suppose removing a file is always an “undo”, as the file was created at some point, but that’s getting a little philosophical. How about this:
$ hg rm somefile.js
somefile.js: removed
I’m sure there are reasons for hg rm to not do what I mean.
They likely center around not losing data, as that seems to be the driving force behind a lot of its design (despite Mercurial having slaughtered more hours of my work than Git by a long shot).
I’m sure there’s reasons for the CANCEL button to not cancel things, too, based in some similar notion of design purity.
The moral of the story is: if your users are “misusing” your interface, adapt the interface, instead of trying to adapt the user.
http://code.v.igoro.us/posts/2016/09/user-guidance-vs-dwim.html
|
|
Giorgos Logiotatidis: Docker cache on Travis and Docker 1.12 |
I blogged before about building Docker images on Travis and suggested uploading images after successful test runs to Docker Hub and use them as Cache after downloading them in next Travis runs.
Travis upgraded recently to Docker version 1.12 (from 1.9) and since version 1.10 Docker features Content Addressability for layers. This change breaks caching and we need to implement a workaround using Travis cache.
Changes need to be made in .travis.yml:
cache: directories: - /home/travis/docker/
Start by requesting Travis to cache /home/travis/docker directory.
before_install: - if [ -f ${DOCKER_CACHE_FILE} ]; then gunzip -c ${DOCKER_CACHE_FILE} | docker load; fi
This checks that ${DOCKER_CACHE_FILE} exists and then loads it in Docker while gunzip-ing it. For convenience and smaller lines I did setup ${DOCKER_CACHE_FILE} as environment variable
env: global: - DOCKER_CACHE_FILE=/home/travis/docker/cache.tar.gz
After building the image and running the tests it's time to save the new Docker image to Travis cache.
I chose to save only when I'm building the master branch but all branches and PRs will still get the cache as Travis will make the cache directory available to all builds.
script: # Tests go here - if [[ ${TRAVIS_BRANCH} == "master" ]]; then mkdir -p $(dirname ${DOCKER_CACHE_FILE}) ; docker save $(docker history -q ${DOCKER_REPOSITORY}:${TRAVIS_COMMIT} | grep -v '') | gzip > ${DOCKER_CACHE_FILE}; fi
Note that we don't just docker save the resulting image. Instead we need to
save all the intermediate layers explicitly. We get all the layers using docker
history and we grep out all the
It's important that docker save happens in script step because right after
this step Travis will save the contents of the cached directory.
Note that Docker saving and loading, as well as Travis uploading and downloading of cache from S3 costs time. It may be faster to rebuilt your Docker image instead of caching it.
See also:
Wikipedia article on Content-addressable storage
You can find a real life example of .travis.yml in the
Mozilla Snippets
project.
https://giorgos.sealabs.net/docker-cache-on-travis-and-docker-112.html
|
|
Support.Mozilla.Org: Firefox 48 and Firefox for iOS 5.1 Release Report |
August 2016
This report is aiming to capture and explain what has happened during and after the launch of Firefox 48/ Firefox for iOS 5.1 on multiple support fronts: Knowledge Base and localization, 1:1 social and forum support, trending issues and reported bugs, as well as to celebrate and recognize the tremendous work the SUMO community is putting in to make sure our users experience a happy release.
We have lots of ways to contribute, from Support to Social to PR, the ways you can help shape our communications program and tell the world about Mozilla are endless. For more information: [https://goo.gl/NwxLJF]
| Article | Voted “helpful” (English/US only) | Global views | Comments from dissatisfied users |
| Desktop | |||
| https://support.mozilla.org/en-US/kb/firefox-osx | 70-100% | 24,019 | “…Don’t think you force me to update to an OS that don’t allow me to use some of the software that I have installed on my computer.”
“can’t update OS, processor limitations. I’m sure I’m not the only one.” |
| Android | |||
| https://support.mozilla.org/en-US/kb/how-do-i-copy-and-paste-text-android | 56-67% | 5,078 | “Dropdown right top was showing clipboard. friend used ph. clipboard disappeared. Bluetooth i dont want appeared. How do i put it back as was?!”
“Some websites insist on blocking the paste function for passwords and while I’ve come across a workaround for this when using desktop firefox the mobile version is another matter.” “On some sites this does not work “ |
| https://support.mozilla.org/en-US/kb/awesome-bar-search-firefox-bookmarks-history-tabs | 67-80% | 24,308 | — |
| https://support.mozilla.org/en-US/kb/save-web-pages-your-reading-list-firefox-android | 70-72% | 23,970 | “A bit confusing to mix bookmarks with reading list. Good breeder generally, well done.”
“Why is my reading list added to my bookmarks? Why isn’t it separate?? I don’t want them together.” |
| https://support.mozilla.org/en-US/kb/make-firefox-default-browser-android | 81-83% | 105,530 | “Procedure to set Firefox as default browser is different when setting options are seen on phone. Panasonic P75 is phone tried on.
“Trying to make Firefox my browser for smart ultra 6.” |
| https://support.mozilla.org/en-US/kb/control-notifications-firefox-android | 100% | 241 | — |
| https://support.mozilla.org/en-US/kb/whats-new-firefox-android | no votes | 74 | — |
Issues to note: This issue showed up in Social and the forums, with the new awesome bar functionality and test pilot awesomebar experiments the ability to turn off the “search with google” was deprecated: ”Search with google” How to remove “search with google” in Firefox 48, I want to disable search in the address bar and browser.urlbar.unifiedcomplete does not work , is there any way to disable browser.urlbar.unifiedcomplete in firefox 48?
Disabled add on signing was removed in 48, there was an evident population did not agree Disable add-on signing not available in Firefox 48?
Some dislike was evident in some commentary about the change in url bar style:Upgraded to Windows 10 & Firefox 47 – now almost impossible to make out active tab
Add ons: ALl in one sidebar was fixed All-in-one sidebar not working in Firefox 48
Quicktime was deprecated for Windows
Android: Firefox for Android 48 in developer preview 5 of Android 7 Nougat may not work properly with uBlock Origins on Nexus Devices: How to fix when Firefox for Android on Android 7 aka N aka Nougat hangs periodically?
Brought to you by Sprinklr
Total contributors in program – 185
New users added between August 2 – August 19, 2016:
Warm welcome to Daniela and Alex Mayorga! Thank you for your help this release, we hope to see more of you.
Top 5 Contributors
This version we had a few new users and a larger amount of engagement
| User | Posts and Tweets | Engagements (replies, likes, re-tweets) |
| Noah Y | 82 | 102 |
| Magno Reis | 35 | 23 |
| Andrew Truong | 23 | 22 |
| Daniela Albarran | 16 | 22 |
| Jhonatas Rodrigues Machacho | 15 | 9 |
| Swarnava Sengupta | 9 | 9 |
| Alex Mayorga | 5 | 7 |
Outbound Top engagement:
“Firefox is Not Responding” Facebook post issue
| Article | Top 10 locale coverage | Top 20 locale coverage |
| Desktop (August 2 – 18) | ||
| Firefox support has ended for Mac OS X 10.6, 10.7 and 10.8 | 100% | 80% |
| Android (August 2 – 18) | ||
| How do I copy and paste text on Android? | 100% | 90% |
| Awesome Bar – Search your Firefox bookmarks, history and tabs from the address bar | 100% | 90% |
| Save web pages to your Reading List on Firefox for Android | 100% | 70% |
| Make Firefox the default browser on Android | 100% | 85% |
| Control notifications in Firefox for Android | 100% | 75% |
| What’s new in Firefox for Android | 100% | 75% |
Questions? Contact Michal.
Support Forums:
Twitter:
https://blog.mozilla.org/sumo/2016/08/31/firefox-48-and-firefox-for-ios-5-1-release-report/
|
|
Air Mozilla: The Joy of Coding - Episode 69 |
mconley livehacks on real Firefox bugs while thinking aloud.
|
|
Air Mozilla: Weekly SUMO Community Meeting August 31, 2016 |
This is the sumo weekly call
https://air.mozilla.org/weekly-sumo-community-meeting-august-31-2016/
|
|
Firefox Nightly: Nightly discussion forums and some of the tools we use |
I thought it would be useful to publish a brief post regarding the various communication channels that we are using right now for Nightly, as well as a few of the main tools being used across the project. Suggestions and new ideas regarding communication and tools are always welcome.
Currently we have two active communication channels where you can chat about issues you may be seeing in Firefox Nightly – IRC and the Telegram app. For IRC, you can find us at irc.mozilla.org in #nightly, and on the Telegram app please ask @mozillamarcia to add you to the group “Nightly Testers.” We have a bot that cross posts to both IRC and Telegram, so we now have cross communication between the two channels. If you are seeing a particular bug, it is helpful to mention it on IRC/Telegram app so we can see if it is a known issue or an actual regression.
Follow us on https://twitter.com/FirefoxNightly/.
While there isn’t yet a specific mailing list for nightly (work in progress – we do have a legacy one for Nightly QA Testers), feature development and other topics are often discussed on the Platform and Firefox desktop browser forums. The posts from planet.mozilla.org span the entire Mozilla project, and often Developers will write in detail about what they are currently working on.
Currently Test Day events are being held for the branches, but not specifically for Nightly. If you are interested in organizing a Nightly test event, please reach out to marcia in the #nightly IRC channel.
Socorro is the tool that aggregates all the crash data across the various Mozilla products. It is in this space that you can see and investigate top crashes in the products.
The main crash-stats page has lots of great information about the current state of Nightly as well as the other branches.
Project Uptime is a Platform initiative specific to improving the crash rate on Desktop and Mobile.
https://blog.nightly.mozilla.org/2016/08/31/nightly-discussion-forums-and-some-of-the-tools-we-use/
|
|
QMO: Firefox 49 Beta 7 Testday Results |
Hello Mozillians!
As you may already know, last Friday – August 26th – we held a new Testday event, for Firefox 49 Beta 7.
Thank you all for helping us making Mozilla a better place – Ron Bentley, Iryna Thompson, Carmen Fat, Logicoma, Moin Shaikh, Aaron Raimist
From Bangladesh: Mohammad Maruf Islam, Samad Talukder, Nazir Ahmed Sabbir, Rezaul huque Nayeem, Azmina Akter Papeya, Saheda Reza Antora, Saddam Hossain, Tanvir Rahman, Kazi nuzhat Tasnem, Maruf Rahman, Sajal Ahmed, Kazi Ashraf Hossain, Md.Majedul islam, Forhad Hossain, Sajedul Islam, Akash, Tazin Ahmed, Toki Yasir, Ria, Sourov_Arko, Amir Hossain Rhidoy, Roy Ayers, Sufi Ahmed Hamim, Fahim.
A big thank you goes out to all our active moderators too!
Results:
https://quality.mozilla.org/2016/08/firefox-49-beta-7-testday-results/
|
|
Daniel Stenberg: Mozilla’s search for a new logo |
I’m employed by Mozilla. The same Mozilla that recently has announced that it is looking around for feedback on how to revamp its logo and graphical image.
It was with amusement I saw one of the existing suggestions for a new logo by using “://” (colon slash slash) the name:
… compared with the recently announced new curl logo:
Me being in both teams and being a general Internet protocol enthusiast I couldn’t be more happy if Mozilla would end up using a design so clearly based on the same underlying thoughts. After all,
Imitation is the sincerest of flattery
as Charles Caleb Colton once so eloquently expressed it.
https://daniel.haxx.se/blog/2016/08/31/mozillas-search-for-a-new-logo/
|
|
Wil Clouser: Signing your commits on GitHub with a GPG key |
Every time Chuck Harmston commits to GitHub he has that fancy [verified] tag next to his name and I'm super jealous.
I've been too lazy to add GPG signing to my Git commits because it seemed like too much work, but I had some free time this afternoon and Julien Vehent convinced me it wasn't that hard, so, here we are. Writing this post is partly to encourage everyone to sign their commits, and partly so I can find these steps again when I forget how to do it in the future.
I already have a gpg key I use for Mozilla things, so I'll start with that. Check out your current keys (if this list is empty, you'll need to make a key):
$ gpg --list-keys wclouser@mozilla.com
pub 4096R/4A403229 2013-08-19
uid Wil Clouser <wclouser@mozilla.com>
sub 4096R/B438E342 2013-08-19
I want to use a new subkey for GitHub signing, so I'll edit my existing master key and add a new one:
gpg --edit-key 4A403229
gpg> addkey
4096 bit RSA signing-only key which expires in two years>
gpg> save
Reviewing my new key:
$ gpg --list-keys wclouser@mozilla.com
pub 4096R/4A403229 2013-08-19
uid Wil Clouser <wclouser@mozilla.com>
sub 4096R/B438E342 2013-08-19
sub 4096R/04D1111C 2016-08-30 [expires: 2018-08-30]
Telling GitHub about the key is pretty straight forward. Firstly, get your public key:
$ gpg --armor --export 04D1111C
-----BEGIN PGP PUBLIC KEY BLOCK-----
...
...
-----END PGP PUBLIC KEY BLOCK-----
Next, load https://github.com/settings/keys and click New GPG Key. Then copy and paste the entire output from the command you ran above into the textarea on that page and click save.
You're going to sign all your commits, right? So let's just add this thing
globally (bonus note: you can add this, but it only works in git 2.0 and above.
If you have an old version you'll need to add the -S flag to your git
commit commands):
$ git config --global commit.gpgsign true
If you have more than one key you'll want to specify the key to use:
$ git config --global user.signingKey 04D1111C
You can change all this stuff in ~/.gitconfig if you'd rather adjust it
directly. While you're in there, double check that the user.email value lines
up with the email address assigned to your key and the email address that GitHub
knows about or else you'll have a mismatch when you try to use it.
Ready to commit something? Edit your files like normal, and git commit.
You'll be prompted for your GPG password (unless you use an agent, and you
should) and everything else should just work like normal. Github will
recognize the signed commit:
Transferring secret keys around always raises some eyebrows, but the reality is many of us make commits from multiple computers. As long as you protect the key in transit, this should be relatively secure. Firstly, export it into a couple of files:
gpg --export 04D1111C > key-pub.asc
gpg --export-secret-keys 04D1111C > key-sec.asc
Then securely transfer those files to your laptop (scp is a good choice) and run:
gpg --import key-pub.asc
gpg --import key-sec.asc
When you're done, securely delete the .asc files on both computers (I use
shred but there are other options).
And that's it. Signed commits!
http://micropipes.com/blog//2016/08/31/signing-your-commits-on-github-with-a-gpg-key/
|
|
Air Mozilla: Privacy Lab - August 2016 - Tools to Teach Privacy |
Erin Berman and members of her web team from the San Jose Public Library (SJPL) will talk about their Virtual Privacy Lab tool, developed with...
https://air.mozilla.org/privacy-lab-august-2016-tools-to-teach-privacy/
|
|