1 |
On Sat, Jul 7, 2018 at 5:29 PM Martin Vaeth <martin@×××××.de> wrote: |
2 |
> |
3 |
> Rich Freeman <rich0@g.o> wrote: |
4 |
> > On Sat, Jul 7, 2018 at 1:34 AM Martin Vaeth <martin@×××××.de> wrote: |
5 |
> >> |
6 |
> >> Biggest issue is that git signature happens by the developer who |
7 |
> >> last commited which means that in practice you need dozens/hundreds |
8 |
> >> of keys. |
9 |
> > |
10 |
> > This is untrue. [...] |
11 |
> > It will, of course, not work on the regular git repo [...] |
12 |
> > You need to use a repo that is signed by infra |
13 |
> > (which typically includes metadata/etc as well). |
14 |
> |
15 |
> I was speaking about gentoo's git repository, of course |
16 |
> (the one which was attacked on github), not about a Frankensteined one |
17 |
> with metadata history filling megabytes of disk space unnecessarily. |
18 |
> Who has that much disk space to waste? |
19 |
|
20 |
Doesn't portage create that metadata anyway when you run it, negating |
21 |
any space savings at the cost of CPU to regenerate the cache? |
22 |
|
23 |
> |
24 |
> For the official git repository your assertions are simply false, |
25 |
> as you apprently admit: It is currently not possible to use the |
26 |
> official git repo (or the github clone of it which was attacked) |
27 |
> in a secure manner. |
28 |
> |
29 |
|
30 |
Sure, but this also doesn't support signature verification at all (at |
31 |
least not by portage - git can of course manually verify any commit), |
32 |
so your points still don't apply. |
33 |
|
34 |
> > and as a bonus they want them prepended to |
35 |
> > instead of appended so that rsync resends the whole thing instead of |
36 |
> > just the tail... |
37 |
> |
38 |
> Your implicit claim is untrue. rsync - as used by portage - always |
39 |
> transfers whole files, only. |
40 |
|
41 |
rsync is capable of transferring partial files. I can't vouch for how |
42 |
portage is using it, but both the rsync command line program and |
43 |
librsync can do partial file transfers. However, this is based on |
44 |
offsets from the start of the file, so appending to a file will result |
45 |
in the first part of the file being identical, but prepending will |
46 |
break rsync's algorithm. |
47 |
|
48 |
> |
49 |
> > But, this was endlessly debated before the decision was made. |
50 |
> |
51 |
> The decision was about removing the ChangeLogs from the git |
52 |
> repository. This was certainly the correct decision, because - |
53 |
> as you said - the ChangeLogs *can* be regenerated from the |
54 |
> git history and thus it makes no sense to modify/store them |
55 |
> redundantly. |
56 |
|
57 |
There were two decisions: |
58 |
|
59 |
https://projects.gentoo.org/council/meeting-logs/20141014-summary.txt |
60 |
|
61 |
"do we need to continue to create new ChangeLog entries once we're |
62 |
operating in git?" No. |
63 |
|
64 |
https://projects.gentoo.org/council/meeting-logs/20160410-summary.txt |
65 |
|
66 |
"The council does not require that ChangeLogs be generated or |
67 |
distributed through the rsync system. It is at the discretion of our |
68 |
infrastructure team whether or not this service continues." |
69 |
Accepted (4 yes, 1 no, 2 abstention) |
70 |
|
71 |
> > It probably should be a configurable option in repos.conf, but |
72 |
> > honestly, forced pushes are not something that should be considered a |
73 |
> > good practice. |
74 |
> |
75 |
> 1. portage shouldn't decide about practices of overlays. |
76 |
|
77 |
Hence the reason I suggested it should be a repos.conf option. |
78 |
|
79 |
> 2. also in the official gentoo repository force pushes happen |
80 |
> occassionally. Last occurrence was e.g. when undoing the |
81 |
> malevolent forced push ;) |
82 |
|
83 |
Sure, but that was a fast-forward from the last good commit, so it |
84 |
wouldn't require a force pull unless a user had done a force pull on |
85 |
the bad repo. |
86 |
|
87 |
> 3. git pull fails not only for forced pushes but also in several |
88 |
> other occassions; for instance, if your filesystem changed inodes |
89 |
> numbers (e.g. squash + overlayfs after a resquash+remount). |
90 |
|
91 |
If you're using squashfs git pull probably isn't the right solution for you. |
92 |
|
93 |
> 4. Even if the user made the mistake to edit a file, portage should |
94 |
> not just die on syncing. |
95 |
|
96 |
emerge --sync won't die in a situation like in general. Maybe it will |
97 |
if there is a merge conflict, but I don't think the correct default in |
98 |
this case should be to just wipe out the user's changes. I'm all for |
99 |
making that an option, however. |
100 |
|
101 |
-- |
102 |
Rich |