Gentoo Archives: gentoo-portage-dev

From: Zac Medico <zmedico@g.o>
To: gentoo-portage-dev@l.g.o, Alec Warner <antarus@g.o>
Subject: Re: [gentoo-portage-dev] [PATCH v2] misc: Distribute a repo.postsync.d hook to run gemato verification
Date: Wed, 17 Jan 2018 20:50:17
Message-Id: 98ed4acc-fb3a-73d3-56c8-b4542fd8ec63@gentoo.org
In Reply to: Re: [gentoo-portage-dev] [PATCH v2] misc: Distribute a repo.postsync.d hook to run gemato verification by Alec Warner
1 On 01/17/2018 07:42 AM, Alec Warner wrote:
2 > On Wed, Jan 17, 2018 at 10:25 AM, Michał Górny <mgorny@g.o
3 > <mailto:mgorny@g.o>> wrote:
4 >
5 > W dniu wto, 16.01.2018 o godzinie 11∶32 -0800, użytkownik Zac Medico
6 > napisał:
7 > > On 01/16/2018 10:39 AM, Michał Górny wrote:
8 > > > W dniu wto, 16.01.2018 o godzinie 12∶44 -0500, użytkownik Alec
9 > Warner
10 > > > napisał:
11 > > > > On Tue, Jan 16, 2018 at 11:43 AM, Michał Górny
12 > <mgorny@g.o <mailto:mgorny@g.o>> wrote:
13 > > > >
14 > > > > > Include a repo.postsync.d hook to verify the rsync checkout
15 > using
16 > > > > > gemato. Given that not all people will want to have it enabled
17 > > > > > unconditionally, no setup.py rules are included -- instead,
18 > the file
19 > > > > > would be installed conditionally by the ebuild.
20 > > > > >
21 > > > > > [v2: included link to the wiki page]
22 > > > > > ---
23 > > > > >  MANIFEST.in                   |  2 +-
24 > > > > >  misc/repo.postsync.d/00gemato | 18 ++++++++++++++++++
25 > > > > >  2 files changed, 19 insertions(+), 1 deletion(-)
26 > > > > >  create mode 100644 misc/repo.postsync.d/00gemato
27 > > > > >
28 > > > > > diff --git a/MANIFEST.in b/MANIFEST.in
29 > > > > > index 4f6cac162..edc6704e7 100644
30 > > > > > --- a/MANIFEST.in
31 > > > > > +++ b/MANIFEST.in
32 > > > > > @@ -14,4 +14,4 @@ include cnf/make.conf.example.*
33 > > > > >  include .portage_not_installed
34 > > > > >
35 > > > > >  # extra scripts
36 > > > > > -include misc/*
37 > > > > > +graft misc
38 > > > > > diff --git a/misc/repo.postsync.d/00gemato
39 > b/misc/repo.postsync.d/00gemato
40 > > > > > new file mode 100644
41 > > > > > index 000000000..f2af50925
42 > > > > > --- /dev/null
43 > > > > > +++ b/misc/repo.postsync.d/00gemato
44 > > > > > @@ -0,0 +1,18 @@
45 > > > > > +#!/bin/bash
46 > > > > > +# repo.postsync.d hook to verify ::gentoo checkout using gemato
47 > > > > > +
48 > > > > > +name=${1}
49 > > > > > +url=${2}
50 > > > > > +path=${3}
51 > > > > > +
52 > > > > > +# keyring installed by gentoo-keys
53 > > > > >
54 > +openpgp_key=/var/lib/gentoo/gkeys/keyrings/gentoo/release/pubring.gpg
55 > > > > >
56 > > > >
57 > > > > This seems a bit leaky to me.
58 > > > >
59 > > > > Possible to get gentoo-keys to print it?
60 > > > >
61 > > > > e.g:
62 > > > >
63 > > > > openpgp_key=$(gentoo-keys --print-key-path)
64 > > >
65 > > > But app-crypt/gentoo-keys doesn't include that executable, and
66 > it has
67 > > > no dependency on app-crypt/gkeys. I'd rather not introduce an
68 > artificial
69 > > > dependency here.
70 > >
71 > > I suppose we could using a separate ebuild to install this hook,
72 > so that
73 > > we can update it separately from portage if necessary. The hook can
74 > > still live in the portage repository (like emerge-delta-webrsync which
75 > > is also installed by a separate ebuild).
76 >
77 > I don't see a strong reason to add yet another rebuild for a single file
78 > that is going to be updated really rarely. However, if we're going to do
79 > it that way, then there's no point in putting it in Portage repository.
80 >
81 > However, this 'update it separately from portage' reminds me of repoman
82 > that frequently gets seriously outdated and/or incompatible with Portage
83 > because of independent release cycle...
84 >
85 >
86 > I'll rephrase my objection.
87 >
88 > I don't care what you do as long as Zac (the person releasing portage)
89 > agrees with whatever
90 > requirements you need. If we need 3 releases in a row because the hook
91 > is buggy, as long as
92 > Zac is happy with that I'm happy with that.
93 >
94 > What I don't want to see is surprise when the hook is cut and suddenly
95 > its buggy and we need new
96 > cuts and Zac is not around, or HEAD is broken, or some other problem.
97 >
98 > Looking at the release history, multiple cuts in O(few) days is fairly
99 > common (11/20, 11/21, 12/10, 12/15)
100 > so this seems low risk to me; but AFAIK Zac is usually driving these
101 > changes himself so its a bit more obvious
102 > what is going on. Or just allow Michał to cut his own portage releases
103 > when he needs hook updates.
104 >
105 > -A
106
107 The thing is, this pubring.gpg path tightly couples the hook to gentoo-keys.
108 I'd feel much more comfortable about including it with portage if we
109 used something like this command to query the pubring.gpg location:
110
111 $ gkeys list-key -C gentoo -n snapshot
112
113 Nick.....: snapshot
114 Name.....: Gentoo Tree Snapshot (Automated) Signing Key
115 Keydir...: release
116 Gpg info.: /var/lib/gentoo/gkeys/keyrings/gentoo/release/pubring.gpg
117 ---------------------------------------------------------
118 pub rsa4096/825533CBF6CD6C97 2014-10-03 [C] [expired: 2017-09-17]
119 Key fingerprint = D2DE 1DBB A0F4 3EBA 341B 97D8 8255 33CB F6CD 6C97
120 uid [ expired] Gentoo-keys Team <gkeys@g.o>
121
122 pub dsa1024/9E6438C817072058 2004-07-20 [SC] [expires: 2018-07-01]
123 Key fingerprint = D99E AC73 79A8 50BC E47D A5F2 9E64 38C8 1707 2058
124 uid [ unknown] Gentoo Linux Release Engineering (Gentoo Linux Release Signing Key) <releng@g.o>
125 sub elg2048/0403710E1415B4ED 2004-07-20 [E] [expires: 2018-07-01]
126
127 pub rsa4096/DB6B8C1F96D8BF6D 2011-11-25 [C] [expires: 2018-07-01]
128 Key fingerprint = DCD0 5B71 EAB9 4199 527F 44AC DB6B 8C1F 96D8 BF6D
129 uid [ unknown] Gentoo Portage Snapshot Signing Key (Automated Signing Key)
130 sub rsa4096/EC590EEAC9189250 2011-11-25 [S] [expires: 2018-07-01]
131
132 pub rsa4096/BB572E0E2D182910 2009-08-25 [SC] [expired: 2017-08-25]
133 Key fingerprint = 13EB BDBE DE7A 1277 5DFD B1BA BB57 2E0E 2D18 2910
134 uid [ expired] Gentoo Linux Release Engineering (Automated Weekly Release Key) <releng@g.o>
135
136 --
137 Thanks,
138 Zac

Attachments

File name MIME type
signature.asc application/pgp-signature

Replies