| 1 |
On Sat, Jul 7, 2018 at 5:29 PM Martin Vaeth <martin@×××××.de> wrote: |
| 2 |
> |
| 3 |
> Rich Freeman <rich0@g.o> wrote: |
| 4 |
> > On Sat, Jul 7, 2018 at 1:34 AM Martin Vaeth <martin@×××××.de> wrote: |
| 5 |
> >> |
| 6 |
> >> Biggest issue is that git signature happens by the developer who |
| 7 |
> >> last commited which means that in practice you need dozens/hundreds |
| 8 |
> >> of keys. |
| 9 |
> > |
| 10 |
> > This is untrue. [...] |
| 11 |
> > It will, of course, not work on the regular git repo [...] |
| 12 |
> > You need to use a repo that is signed by infra |
| 13 |
> > (which typically includes metadata/etc as well). |
| 14 |
> |
| 15 |
> I was speaking about gentoo's git repository, of course |
| 16 |
> (the one which was attacked on github), not about a Frankensteined one |
| 17 |
> with metadata history filling megabytes of disk space unnecessarily. |
| 18 |
> Who has that much disk space to waste? |
| 19 |
|
| 20 |
Doesn't portage create that metadata anyway when you run it, negating |
| 21 |
any space savings at the cost of CPU to regenerate the cache? |
| 22 |
|
| 23 |
> |
| 24 |
> For the official git repository your assertions are simply false, |
| 25 |
> as you apprently admit: It is currently not possible to use the |
| 26 |
> official git repo (or the github clone of it which was attacked) |
| 27 |
> in a secure manner. |
| 28 |
> |
| 29 |
|
| 30 |
Sure, but this also doesn't support signature verification at all (at |
| 31 |
least not by portage - git can of course manually verify any commit), |
| 32 |
so your points still don't apply. |
| 33 |
|
| 34 |
> > and as a bonus they want them prepended to |
| 35 |
> > instead of appended so that rsync resends the whole thing instead of |
| 36 |
> > just the tail... |
| 37 |
> |
| 38 |
> Your implicit claim is untrue. rsync - as used by portage - always |
| 39 |
> transfers whole files, only. |
| 40 |
|
| 41 |
rsync is capable of transferring partial files. I can't vouch for how |
| 42 |
portage is using it, but both the rsync command line program and |
| 43 |
librsync can do partial file transfers. However, this is based on |
| 44 |
offsets from the start of the file, so appending to a file will result |
| 45 |
in the first part of the file being identical, but prepending will |
| 46 |
break rsync's algorithm. |
| 47 |
|
| 48 |
> |
| 49 |
> > But, this was endlessly debated before the decision was made. |
| 50 |
> |
| 51 |
> The decision was about removing the ChangeLogs from the git |
| 52 |
> repository. This was certainly the correct decision, because - |
| 53 |
> as you said - the ChangeLogs *can* be regenerated from the |
| 54 |
> git history and thus it makes no sense to modify/store them |
| 55 |
> redundantly. |
| 56 |
|
| 57 |
There were two decisions: |
| 58 |
|
| 59 |
https://projects.gentoo.org/council/meeting-logs/20141014-summary.txt |
| 60 |
|
| 61 |
"do we need to continue to create new ChangeLog entries once we're |
| 62 |
operating in git?" No. |
| 63 |
|
| 64 |
https://projects.gentoo.org/council/meeting-logs/20160410-summary.txt |
| 65 |
|
| 66 |
"The council does not require that ChangeLogs be generated or |
| 67 |
distributed through the rsync system. It is at the discretion of our |
| 68 |
infrastructure team whether or not this service continues." |
| 69 |
Accepted (4 yes, 1 no, 2 abstention) |
| 70 |
|
| 71 |
> > It probably should be a configurable option in repos.conf, but |
| 72 |
> > honestly, forced pushes are not something that should be considered a |
| 73 |
> > good practice. |
| 74 |
> |
| 75 |
> 1. portage shouldn't decide about practices of overlays. |
| 76 |
|
| 77 |
Hence the reason I suggested it should be a repos.conf option. |
| 78 |
|
| 79 |
> 2. also in the official gentoo repository force pushes happen |
| 80 |
> occassionally. Last occurrence was e.g. when undoing the |
| 81 |
> malevolent forced push ;) |
| 82 |
|
| 83 |
Sure, but that was a fast-forward from the last good commit, so it |
| 84 |
wouldn't require a force pull unless a user had done a force pull on |
| 85 |
the bad repo. |
| 86 |
|
| 87 |
> 3. git pull fails not only for forced pushes but also in several |
| 88 |
> other occassions; for instance, if your filesystem changed inodes |
| 89 |
> numbers (e.g. squash + overlayfs after a resquash+remount). |
| 90 |
|
| 91 |
If you're using squashfs git pull probably isn't the right solution for you. |
| 92 |
|
| 93 |
> 4. Even if the user made the mistake to edit a file, portage should |
| 94 |
> not just die on syncing. |
| 95 |
|
| 96 |
emerge --sync won't die in a situation like in general. Maybe it will |
| 97 |
if there is a merge conflict, but I don't think the correct default in |
| 98 |
this case should be to just wipe out the user's changes. I'm all for |
| 99 |
making that an option, however. |
| 100 |
|
| 101 |
-- |
| 102 |
Rich |
Archives