Re: [gentoo-portage-dev] [PATCH v2] misc: Distribute a repo.postsync.d hook to run gemato verification - gentoo-portage-dev

From:	Zac Medico <zmedico@g.o>
To:	gentoo-portage-dev@l.g.o, Alec Warner <antarus@g.o>
Subject:	Re: [gentoo-portage-dev] [PATCH v2] misc: Distribute a repo.postsync.d hook to run gemato verification
Date:	Wed, 17 Jan 2018 20:50:17
Message-Id:	`98ed4acc-fb3a-73d3-56c8-b4542fd8ec63@gentoo.org`
In Reply to:	Re: [gentoo-portage-dev] [PATCH v2] misc: Distribute a repo.postsync.d hook to run gemato verification by Alec Warner

1

On 01/17/2018 07:42 AM, Alec Warner wrote:

2

> On Wed, Jan 17, 2018 at 10:25 AM, Michał Górny <mgorny@g.o

3

> <mailto:mgorny@g.o>> wrote:

4

>

5

>     W dniu wto, 16.01.2018 o godzinie 11∶32 -0800, użytkownik Zac Medico

6

>     napisał:

7

>     > On 01/16/2018 10:39 AM, Michał Górny wrote:

8

>     > > W dniu wto, 16.01.2018 o godzinie 12∶44 -0500, użytkownik Alec

9

>     Warner

10

>     > > napisał:

11

>     > > > On Tue, Jan 16, 2018 at 11:43 AM, Michał Górny

12

>     <mgorny@g.o <mailto:mgorny@g.o>> wrote:

13

>     > > >

14

>     > > > > Include a repo.postsync.d hook to verify the rsync checkout

15

>     using

16

>     > > > > gemato. Given that not all people will want to have it enabled

17

>     > > > > unconditionally, no setup.py rules are included -- instead,

18

>     the file

19

>     > > > > would be installed conditionally by the ebuild.

20

>     > > > >

21

>     > > > > [v2: included link to the wiki page]

22

>     > > > > ---

23

>     > > > >  MANIFEST.in                   |  2 +-

24

>     > > > >  misc/repo.postsync.d/00gemato | 18 ++++++++++++++++++

25

>     > > > >  2 files changed, 19 insertions(+), 1 deletion(-)

26

>     > > > >  create mode 100644 misc/repo.postsync.d/00gemato

27

>     > > > >

28

>     > > > > diff --git a/MANIFEST.in b/MANIFEST.in

29

>     > > > > index 4f6cac162..edc6704e7 100644

30

>     > > > > --- a/MANIFEST.in

31

>     > > > > +++ b/MANIFEST.in

32

>     > > > > @@ -14,4 +14,4 @@ include cnf/make.conf.example.*

33

>     > > > >  include .portage_not_installed

34

>     > > > >

35

>     > > > >  # extra scripts

36

>     > > > > -include misc/*

37

>     > > > > +graft misc

38

>     > > > > diff --git a/misc/repo.postsync.d/00gemato

39

>     b/misc/repo.postsync.d/00gemato

40

>     > > > > new file mode 100644

41

>     > > > > index 000000000..f2af50925

42

>     > > > > --- /dev/null

43

>     > > > > +++ b/misc/repo.postsync.d/00gemato

44

>     > > > > @@ -0,0 +1,18 @@

45

>     > > > > +#!/bin/bash

46

>     > > > > +# repo.postsync.d hook to verify ::gentoo checkout using gemato

47

>     > > > > +

48

>     > > > > +name=${1}

49

>     > > > > +url=${2}

50

>     > > > > +path=${3}

51

>     > > > > +

52

>     > > > > +# keyring installed by gentoo-keys

53

>     > > > >

54

>     +openpgp_key=/var/lib/gentoo/gkeys/keyrings/gentoo/release/pubring.gpg

55

>     > > > >

56

>     > > >

57

>     > > > This seems a bit leaky to me.

58

>     > > >

59

>     > > > Possible to get gentoo-keys to print it?

60

>     > > >

61

>     > > > e.g:

62

>     > > >

63

>     > > > openpgp_key=$(gentoo-keys --print-key-path)

64

>     > >

65

>     > > But app-crypt/gentoo-keys doesn't include that executable, and

66

>     it has

67

>     > > no dependency on app-crypt/gkeys. I'd rather not introduce an

68

>     artificial

69

>     > > dependency here.

70

>     >

71

>     > I suppose we could using a separate ebuild to install this hook,

72

>     so that

73

>     > we can update it separately from portage if necessary. The hook can

74

>     > still live in the portage repository (like emerge-delta-webrsync which

75

>     > is also installed by a separate ebuild).

76

>

77

>     I don't see a strong reason to add yet another rebuild for a single file

78

>     that is going to be updated really rarely. However, if we're going to do

79

>     it that way, then there's no point in putting it in Portage repository.

80

>

81

>     However, this 'update it separately from portage' reminds me of repoman

82

>     that frequently gets seriously outdated and/or incompatible with Portage

83

>     because of independent release cycle...

84

>

85

>

86

> I'll rephrase my objection.

87

>

88

> I don't care what you do as long as Zac (the person releasing portage)

89

> agrees with whatever

90

> requirements you need. If we need 3 releases in a row because the hook

91

> is buggy, as long as

92

> Zac is happy with that I'm happy with that.

93

>

94

> What I don't want to see is surprise when the hook is cut and suddenly

95

> its buggy and we need new

96

> cuts and Zac is not around, or HEAD is broken, or some other problem.

97

>

98

> Looking at the release history, multiple cuts in O(few) days is fairly

99

> common (11/20, 11/21, 12/10, 12/15)

100

> so this seems low risk to me; but AFAIK Zac is usually driving these

101

> changes himself so its a bit more obvious

102

> what is going on. Or just allow Michał to cut his own portage releases

103

> when he needs hook updates.

104

>

105

> -A

106

107

The thing is, this pubring.gpg path tightly couples the hook to gentoo-keys.

108

I'd feel much more comfortable about including it with portage if we

109

used something like this command to query the pubring.gpg location:

110

111

$ gkeys list-key -C gentoo -n snapshot

112

113

Nick.....: snapshot

114

Name.....: Gentoo Tree Snapshot (Automated) Signing Key

115

Keydir...: release

116

Gpg info.: /var/lib/gentoo/gkeys/keyrings/gentoo/release/pubring.gpg

117

           ---------------------------------------------------------

118

           pub   rsa4096/825533CBF6CD6C97 2014-10-03 [C] [expired: 2017-09-17]

119

                 Key fingerprint = D2DE 1DBB A0F4 3EBA 341B  97D8 8255 33CB F6CD 6C97

120

           uid                 [ expired] Gentoo-keys Team <gkeys@g.o>

121

122

           pub   dsa1024/9E6438C817072058 2004-07-20 [SC] [expires: 2018-07-01]

123

                 Key fingerprint = D99E AC73 79A8 50BC E47D  A5F2 9E64 38C8 1707 2058

124

           uid                 [ unknown] Gentoo Linux Release Engineering (Gentoo Linux Release Signing Key) <releng@g.o>

125

           sub   elg2048/0403710E1415B4ED 2004-07-20 [E] [expires: 2018-07-01]

126

127

           pub   rsa4096/DB6B8C1F96D8BF6D 2011-11-25 [C] [expires: 2018-07-01]

128

                 Key fingerprint = DCD0 5B71 EAB9 4199 527F  44AC DB6B 8C1F 96D8 BF6D

129

           uid                 [ unknown] Gentoo Portage Snapshot Signing Key (Automated Signing Key)

130

           sub   rsa4096/EC590EEAC9189250 2011-11-25 [S] [expires: 2018-07-01]

131

132

           pub   rsa4096/BB572E0E2D182910 2009-08-25 [SC] [expired: 2017-08-25]

133

                 Key fingerprint = 13EB BDBE DE7A 1277 5DFD  B1BA BB57 2E0E 2D18 2910

134

           uid                 [ expired] Gentoo Linux Release Engineering (Automated Weekly Release Key) <releng@g.o>

135

136

--

137

Thanks,

138

Zac

Gentoo Archives: gentoo-portage-dev

Attachments

Replies

1	On 01/17/2018 07:42 AM, Alec Warner wrote:
2	> On Wed, Jan 17, 2018 at 10:25 AM, Michał Górny <mgorny@g.o
3	> <mailto:mgorny@g.o>> wrote:
4	>
5	> W dniu wto, 16.01.2018 o godzinie 11∶32 -0800, użytkownik Zac Medico
6	> napisał:
7	> > On 01/16/2018 10:39 AM, Michał Górny wrote:
8	> > > W dniu wto, 16.01.2018 o godzinie 12∶44 -0500, użytkownik Alec
9	> Warner
10	> > > napisał:
11	> > > > On Tue, Jan 16, 2018 at 11:43 AM, Michał Górny
12	> <mgorny@g.o <mailto:mgorny@g.o>> wrote:
13	> > > >
14	> > > > > Include a repo.postsync.d hook to verify the rsync checkout
15	> using
16	> > > > > gemato. Given that not all people will want to have it enabled
17	> > > > > unconditionally, no setup.py rules are included -- instead,
18	> the file
19	> > > > > would be installed conditionally by the ebuild.
20	> > > > >
21	> > > > > [v2: included link to the wiki page]
22	> > > > > ---
23	> > > > > MANIFEST.in \| 2 +-
24	> > > > > misc/repo.postsync.d/00gemato \| 18 ++++++++++++++++++
25	> > > > > 2 files changed, 19 insertions(+), 1 deletion(-)
26	> > > > > create mode 100644 misc/repo.postsync.d/00gemato
27	> > > > >
28	> > > > > diff --git a/MANIFEST.in b/MANIFEST.in
29	> > > > > index 4f6cac162..edc6704e7 100644
30	> > > > > --- a/MANIFEST.in
31	> > > > > +++ b/MANIFEST.in
32	> > > > > @@ -14,4 +14,4 @@ include cnf/make.conf.example.*
33	> > > > > include .portage_not_installed
34	> > > > >
35	> > > > > # extra scripts
36	> > > > > -include misc/*
37	> > > > > +graft misc
38	> > > > > diff --git a/misc/repo.postsync.d/00gemato
39	> b/misc/repo.postsync.d/00gemato
40	> > > > > new file mode 100644
41	> > > > > index 000000000..f2af50925
42	> > > > > --- /dev/null
43	> > > > > +++ b/misc/repo.postsync.d/00gemato
44	> > > > > @@ -0,0 +1,18 @@
45	> > > > > +#!/bin/bash
46	> > > > > +# repo.postsync.d hook to verify ::gentoo checkout using gemato
47	> > > > > +
48	> > > > > +name=${1}
49	> > > > > +url=${2}
50	> > > > > +path=${3}
51	> > > > > +
52	> > > > > +# keyring installed by gentoo-keys
53	> > > > >
54	> +openpgp_key=/var/lib/gentoo/gkeys/keyrings/gentoo/release/pubring.gpg
55	> > > > >
56	> > > >
57	> > > > This seems a bit leaky to me.
58	> > > >
59	> > > > Possible to get gentoo-keys to print it?
60	> > > >
61	> > > > e.g:
62	> > > >
63	> > > > openpgp_key=$(gentoo-keys --print-key-path)
64	> > >
65	> > > But app-crypt/gentoo-keys doesn't include that executable, and
66	> it has
67	> > > no dependency on app-crypt/gkeys. I'd rather not introduce an
68	> artificial
69	> > > dependency here.
70	> >
71	> > I suppose we could using a separate ebuild to install this hook,
72	> so that
73	> > we can update it separately from portage if necessary. The hook can
74	> > still live in the portage repository (like emerge-delta-webrsync which
75	> > is also installed by a separate ebuild).
76	>
77	> I don't see a strong reason to add yet another rebuild for a single file
78	> that is going to be updated really rarely. However, if we're going to do
79	> it that way, then there's no point in putting it in Portage repository.
80	>
81	> However, this 'update it separately from portage' reminds me of repoman
82	> that frequently gets seriously outdated and/or incompatible with Portage
83	> because of independent release cycle...
84	>
85	>
86	> I'll rephrase my objection.
87	>
88	> I don't care what you do as long as Zac (the person releasing portage)
89	> agrees with whatever
90	> requirements you need. If we need 3 releases in a row because the hook
91	> is buggy, as long as
92	> Zac is happy with that I'm happy with that.
93	>
94	> What I don't want to see is surprise when the hook is cut and suddenly
95	> its buggy and we need new
96	> cuts and Zac is not around, or HEAD is broken, or some other problem.
97	>
98	> Looking at the release history, multiple cuts in O(few) days is fairly
99	> common (11/20, 11/21, 12/10, 12/15)
100	> so this seems low risk to me; but AFAIK Zac is usually driving these
101	> changes himself so its a bit more obvious
102	> what is going on. Or just allow Michał to cut his own portage releases
103	> when he needs hook updates.
104	>
105	> -A
106
107	The thing is, this pubring.gpg path tightly couples the hook to gentoo-keys.
108	I'd feel much more comfortable about including it with portage if we
109	used something like this command to query the pubring.gpg location:
110
111	$ gkeys list-key -C gentoo -n snapshot
112
113	Nick.....: snapshot
114	Name.....: Gentoo Tree Snapshot (Automated) Signing Key
115	Keydir...: release
116	Gpg info.: /var/lib/gentoo/gkeys/keyrings/gentoo/release/pubring.gpg
117	---------------------------------------------------------
118	pub rsa4096/825533CBF6CD6C97 2014-10-03 [C] [expired: 2017-09-17]
119	Key fingerprint = D2DE 1DBB A0F4 3EBA 341B 97D8 8255 33CB F6CD 6C97
120	uid [ expired] Gentoo-keys Team <gkeys@g.o>
121
122	pub dsa1024/9E6438C817072058 2004-07-20 [SC] [expires: 2018-07-01]
123	Key fingerprint = D99E AC73 79A8 50BC E47D A5F2 9E64 38C8 1707 2058
124	uid [ unknown] Gentoo Linux Release Engineering (Gentoo Linux Release Signing Key) <releng@g.o>
125	sub elg2048/0403710E1415B4ED 2004-07-20 [E] [expires: 2018-07-01]
126
127	pub rsa4096/DB6B8C1F96D8BF6D 2011-11-25 [C] [expires: 2018-07-01]
128	Key fingerprint = DCD0 5B71 EAB9 4199 527F 44AC DB6B 8C1F 96D8 BF6D
129	uid [ unknown] Gentoo Portage Snapshot Signing Key (Automated Signing Key)
130	sub rsa4096/EC590EEAC9189250 2011-11-25 [S] [expires: 2018-07-01]
131
132	pub rsa4096/BB572E0E2D182910 2009-08-25 [SC] [expired: 2017-08-25]
133	Key fingerprint = 13EB BDBE DE7A 1277 5DFD B1BA BB57 2E0E 2D18 2910
134	uid [ expired] Gentoo Linux Release Engineering (Automated Weekly Release Key) <releng@g.o>
135
136	--
137	Thanks,
138	Zac