1 |
On 01/17/2018 07:42 AM, Alec Warner wrote: |
2 |
> On Wed, Jan 17, 2018 at 10:25 AM, Michał Górny <mgorny@g.o |
3 |
> <mailto:mgorny@g.o>> wrote: |
4 |
> |
5 |
> W dniu wto, 16.01.2018 o godzinie 11∶32 -0800, użytkownik Zac Medico |
6 |
> napisał: |
7 |
> > On 01/16/2018 10:39 AM, Michał Górny wrote: |
8 |
> > > W dniu wto, 16.01.2018 o godzinie 12∶44 -0500, użytkownik Alec |
9 |
> Warner |
10 |
> > > napisał: |
11 |
> > > > On Tue, Jan 16, 2018 at 11:43 AM, Michał Górny |
12 |
> <mgorny@g.o <mailto:mgorny@g.o>> wrote: |
13 |
> > > > |
14 |
> > > > > Include a repo.postsync.d hook to verify the rsync checkout |
15 |
> using |
16 |
> > > > > gemato. Given that not all people will want to have it enabled |
17 |
> > > > > unconditionally, no setup.py rules are included -- instead, |
18 |
> the file |
19 |
> > > > > would be installed conditionally by the ebuild. |
20 |
> > > > > |
21 |
> > > > > [v2: included link to the wiki page] |
22 |
> > > > > --- |
23 |
> > > > > MANIFEST.in | 2 +- |
24 |
> > > > > misc/repo.postsync.d/00gemato | 18 ++++++++++++++++++ |
25 |
> > > > > 2 files changed, 19 insertions(+), 1 deletion(-) |
26 |
> > > > > create mode 100644 misc/repo.postsync.d/00gemato |
27 |
> > > > > |
28 |
> > > > > diff --git a/MANIFEST.in b/MANIFEST.in |
29 |
> > > > > index 4f6cac162..edc6704e7 100644 |
30 |
> > > > > --- a/MANIFEST.in |
31 |
> > > > > +++ b/MANIFEST.in |
32 |
> > > > > @@ -14,4 +14,4 @@ include cnf/make.conf.example.* |
33 |
> > > > > include .portage_not_installed |
34 |
> > > > > |
35 |
> > > > > # extra scripts |
36 |
> > > > > -include misc/* |
37 |
> > > > > +graft misc |
38 |
> > > > > diff --git a/misc/repo.postsync.d/00gemato |
39 |
> b/misc/repo.postsync.d/00gemato |
40 |
> > > > > new file mode 100644 |
41 |
> > > > > index 000000000..f2af50925 |
42 |
> > > > > --- /dev/null |
43 |
> > > > > +++ b/misc/repo.postsync.d/00gemato |
44 |
> > > > > @@ -0,0 +1,18 @@ |
45 |
> > > > > +#!/bin/bash |
46 |
> > > > > +# repo.postsync.d hook to verify ::gentoo checkout using gemato |
47 |
> > > > > + |
48 |
> > > > > +name=${1} |
49 |
> > > > > +url=${2} |
50 |
> > > > > +path=${3} |
51 |
> > > > > + |
52 |
> > > > > +# keyring installed by gentoo-keys |
53 |
> > > > > |
54 |
> +openpgp_key=/var/lib/gentoo/gkeys/keyrings/gentoo/release/pubring.gpg |
55 |
> > > > > |
56 |
> > > > |
57 |
> > > > This seems a bit leaky to me. |
58 |
> > > > |
59 |
> > > > Possible to get gentoo-keys to print it? |
60 |
> > > > |
61 |
> > > > e.g: |
62 |
> > > > |
63 |
> > > > openpgp_key=$(gentoo-keys --print-key-path) |
64 |
> > > |
65 |
> > > But app-crypt/gentoo-keys doesn't include that executable, and |
66 |
> it has |
67 |
> > > no dependency on app-crypt/gkeys. I'd rather not introduce an |
68 |
> artificial |
69 |
> > > dependency here. |
70 |
> > |
71 |
> > I suppose we could using a separate ebuild to install this hook, |
72 |
> so that |
73 |
> > we can update it separately from portage if necessary. The hook can |
74 |
> > still live in the portage repository (like emerge-delta-webrsync which |
75 |
> > is also installed by a separate ebuild). |
76 |
> |
77 |
> I don't see a strong reason to add yet another rebuild for a single file |
78 |
> that is going to be updated really rarely. However, if we're going to do |
79 |
> it that way, then there's no point in putting it in Portage repository. |
80 |
> |
81 |
> However, this 'update it separately from portage' reminds me of repoman |
82 |
> that frequently gets seriously outdated and/or incompatible with Portage |
83 |
> because of independent release cycle... |
84 |
> |
85 |
> |
86 |
> I'll rephrase my objection. |
87 |
> |
88 |
> I don't care what you do as long as Zac (the person releasing portage) |
89 |
> agrees with whatever |
90 |
> requirements you need. If we need 3 releases in a row because the hook |
91 |
> is buggy, as long as |
92 |
> Zac is happy with that I'm happy with that. |
93 |
> |
94 |
> What I don't want to see is surprise when the hook is cut and suddenly |
95 |
> its buggy and we need new |
96 |
> cuts and Zac is not around, or HEAD is broken, or some other problem. |
97 |
> |
98 |
> Looking at the release history, multiple cuts in O(few) days is fairly |
99 |
> common (11/20, 11/21, 12/10, 12/15) |
100 |
> so this seems low risk to me; but AFAIK Zac is usually driving these |
101 |
> changes himself so its a bit more obvious |
102 |
> what is going on. Or just allow Michał to cut his own portage releases |
103 |
> when he needs hook updates. |
104 |
> |
105 |
> -A |
106 |
|
107 |
The thing is, this pubring.gpg path tightly couples the hook to gentoo-keys. |
108 |
I'd feel much more comfortable about including it with portage if we |
109 |
used something like this command to query the pubring.gpg location: |
110 |
|
111 |
$ gkeys list-key -C gentoo -n snapshot |
112 |
|
113 |
Nick.....: snapshot |
114 |
Name.....: Gentoo Tree Snapshot (Automated) Signing Key |
115 |
Keydir...: release |
116 |
Gpg info.: /var/lib/gentoo/gkeys/keyrings/gentoo/release/pubring.gpg |
117 |
--------------------------------------------------------- |
118 |
pub rsa4096/825533CBF6CD6C97 2014-10-03 [C] [expired: 2017-09-17] |
119 |
Key fingerprint = D2DE 1DBB A0F4 3EBA 341B 97D8 8255 33CB F6CD 6C97 |
120 |
uid [ expired] Gentoo-keys Team <gkeys@g.o> |
121 |
|
122 |
pub dsa1024/9E6438C817072058 2004-07-20 [SC] [expires: 2018-07-01] |
123 |
Key fingerprint = D99E AC73 79A8 50BC E47D A5F2 9E64 38C8 1707 2058 |
124 |
uid [ unknown] Gentoo Linux Release Engineering (Gentoo Linux Release Signing Key) <releng@g.o> |
125 |
sub elg2048/0403710E1415B4ED 2004-07-20 [E] [expires: 2018-07-01] |
126 |
|
127 |
pub rsa4096/DB6B8C1F96D8BF6D 2011-11-25 [C] [expires: 2018-07-01] |
128 |
Key fingerprint = DCD0 5B71 EAB9 4199 527F 44AC DB6B 8C1F 96D8 BF6D |
129 |
uid [ unknown] Gentoo Portage Snapshot Signing Key (Automated Signing Key) |
130 |
sub rsa4096/EC590EEAC9189250 2011-11-25 [S] [expires: 2018-07-01] |
131 |
|
132 |
pub rsa4096/BB572E0E2D182910 2009-08-25 [SC] [expired: 2017-08-25] |
133 |
Key fingerprint = 13EB BDBE DE7A 1277 5DFD B1BA BB57 2E0E 2D18 2910 |
134 |
uid [ expired] Gentoo Linux Release Engineering (Automated Weekly Release Key) <releng@g.o> |
135 |
|
136 |
-- |
137 |
Thanks, |
138 |
Zac |