Blame - docs/development/submitting-patches.rst - platform/external/python/cryptography

blob: 1797b9c1e69ccbeadb616fe39ba1a6b04a1f5ff5 [file] [log] [blame]

Paul Kehrer	0839aa8	2014-02-11 22:36:51 -0600	[diff] [blame]	1	Submitting Patches
				2	==================
				3
				4	* Always make a new branch for your work.
				5	* Patches should be small to facilitate easier review. `Studies have shown`_
				6	that review quality falls off as patch size grows. Sometimes this will result
				7	in many small PRs to land a single large feature.
				8	* Larger changes should be discussed on `our mailing list`_ before submission.
				9	* New features and significant bug fixes should be documented in the
				10	:doc:`/changelog`.
				11
				12	If you believe you've identified a security issue in ``cryptography``, please
				13	follow the directions on the :doc:`security page </security>`.
				14
				15	Code
				16	----
				17
Paul Kehrer	5b6ce2a	2014-02-24 20:16:10 -0600	[diff] [blame^]	18	When in doubt, refer to :pep:`8` for Python code. You can check if your code
				19	meets our automated requirements by running ``flake8`` against it. If you've
				20	installed the development requirements this will automatically use our
				21	configuration. You can also run the ``tox`` job with ``tox -e pep8``.
Paul Kehrer	0839aa8	2014-02-11 22:36:51 -0600	[diff] [blame]	22
				23	`Write comments as complete sentences.`_
				24
				25	Every code file must start with the boilerplate notice of the Apache License.
				26	Additionally, every Python code file must contain
				27
				28	.. code-block:: python
				29
				30	from __future__ import absolute_import, division, print_function
				31
				32	API Considerations
				33	~~~~~~~~~~~~~~~~~~
				34
				35	Most projects' APIs are designed with a philosophy of "make easy things easy,
				36	and make hard things possible". One of the perils of writing cryptographic code
				37	is that secure code looks just like insecure code, and its results are almost
				38	always indistinguishable. As a result ``cryptography`` has, as a design
				39	philosophy: "make it hard to do insecure things". Here are a few strategies for
				40	API design that should be both followed, and should inspire other API choices:
				41
				42	If it is necessary to compare a user provided value with a computed value (for
				43	example, verifying a signature), there should be an API provided that performs
				44	the verification in a secure way (for example, using a constant time
				45	comparison), rather than requiring the user to perform the comparison
				46	themselves.
				47
				48	If it is incorrect to ignore the result of a method, it should raise an
				49	exception, and not return a boolean ``True``/``False`` flag. For example, a
				50	method to verify a signature should raise ``InvalidSignature``, and not return
				51	whether the signature was valid.
				52
				53	.. code-block:: python
				54
				55	# This is bad.
				56	def verify(sig):
				57	# ...
				58	return is_valid
				59
				60	# Good!
				61	def verify(sig):
				62	# ...
				63	if not is_valid:
				64	raise InvalidSignature
				65
				66	Every recipe should include a version or algorithmic marker of some sort in its
				67	output in order to allow transparent upgrading of the algorithms in use, as
				68	the algorithms or parameters needed to achieve a given security margin evolve.
				69
				70	APIs at the :doc:`/hazmat/primitives/index` layer should always take an
				71	explicit backend, APIs at the recipes layer should automatically use the
				72	:func:`~cryptography.hazmat.backends.default_backend`, but optionally allow
				73	specifying a different backend.
				74
				75	C bindings
				76	~~~~~~~~~~
				77
				78	When binding C code with ``cffi`` we have our own style guide, it's pretty
				79	simple.
				80
				81	Don't name parameters:
				82
				83	.. code-block:: c
				84
				85	// Good
				86	long f(long);
				87	// Bad
				88	long f(long x);
				89
				90	...unless they're inside a struct:
				91
				92	.. code-block:: c
				93
				94	struct my_struct {
				95	char *name;
				96	int number;
				97	...;
				98	};
				99
				100	Include ``void`` if the function takes no arguments:
				101
				102	.. code-block:: c
				103
				104	// Good
				105	long f(void);
				106	// Bad
				107	long f();
				108
				109	Wrap lines at 80 characters like so:
				110
				111	.. code-block:: c
				112
				113	// Pretend this went to 80 characters
				114	long f(long, long,
				115	int *)
				116
				117	Include a space after commas between parameters:
				118
				119	.. code-block:: c
				120
				121	// Good
				122	long f(int, char *)
				123	// Bad
				124	long f(int,char *)
				125
				126	Values set by ``#define`` should be assigned the appropriate type. If you see
				127	this:
				128
				129	.. code-block:: c
				130
				131	#define SOME_INTEGER_LITERAL 0x0;
				132	#define SOME_UNSIGNED_INTEGER_LITERAL 0x0001U;
				133	#define SOME_STRING_LITERAL "hello";
				134
				135	...it should be added to the bindings like so:
				136
				137	.. code-block:: c
				138
				139	static const int SOME_INTEGER_LITERAL;
				140	static const unsigned int SOME_UNSIGNED_INTEGER_LITERAL;
				141	static const char *const SOME_STRING_LITERAL;
				142
				143	Tests
				144	-----
				145
				146	All code changes must be accompanied by unit tests with 100% code coverage (as
				147	measured by the combined metrics across our build matrix).
				148
				149	When implementing a new primitive or recipe ``cryptography`` requires that you
Paul Kehrer	1681a69	2014-02-11 23:43:51 -0600	[diff] [blame]	150	provide a set of test vectors. See :doc:`/development/test-vectors` for more
				151	details.
Paul Kehrer	0839aa8	2014-02-11 22:36:51 -0600	[diff] [blame]	152
				153	Documentation
				154	-------------
				155
				156	All features should be documented with prose in the ``docs`` section.
				157
				158	Because of the inherent challenges in implementing correct cryptographic
				159	systems, we want to make our documentation point people in the right directions
				160	as much as possible. To that end:
				161
				162	* When documenting a generic interface, use a strong algorithm in examples.
				163	(e.g. when showing a hashing example, don't use
				164	:class:`~cryptography.hazmat.primitives.hashes.MD5`)
				165	* When giving prescriptive advice, always provide references and supporting
				166	material.
				167	* When there is real disagreement between cryptographic experts, represent both
				168	sides of the argument and describe the trade-offs clearly.
				169
				170	When documenting a new module in the ``hazmat`` package, its documentation
				171	should begin with the "Hazardous Materials" warning:
				172
				173	.. code-block:: rest
				174
				175	.. hazmat::
				176
				177	When referring to a hypothetical individual (such as "a person receiving an
				178	encrypted message") use gender neutral pronouns (they/them/their).
				179
				180	Docstrings are typically only used when writing abstract classes, but should
				181	be written like this if required:
				182
				183	.. code-block:: python
				184
				185	def some_function(some_arg):
				186	"""
				187	Does some things.
				188
				189	:param some_arg: Some argument.
				190	"""
				191
				192	So, specifically:
				193
				194	* Always use three double quotes.
				195	* Put the three double quotes on their own line.
				196	* No blank line at the end.
				197	* Use Sphinx parameter/attribute documentation `syntax`_.
				198
				199
				200	.. _`Write comments as complete sentences.`: http://nedbatchelder.com/blog/201401/comments_should_be_sentences.html
				201	.. _`syntax`: http://sphinx-doc.org/domains.html#info-field-lists
				202	.. _`Studies have shown`: http://www.ibm.com/developerworks/rational/library/11-proven-practices-for-peer-review/
				203	.. _`our mailing list`: https://mail.python.org/mailman/listinfo/cryptography-dev