On 08/27/2016 09:55 PM, Axel Braun wrote:
Am 27. August 2016 11:52:25 MESZ, schrieb Dominique Leuenberger / DimStar <dimstar@opensuse.org>:
On Fri, 2016-08-26 at 21:54 +0200, Axel Braun wrote:
Regardless of the tarball source (upload from a developer or download by OBS via _service file), I think, that the tarballs should be verified with GPG keys or SHA checksums. This verification is enabled in some Factory packages, but not in all.
That makes perfectly sense.
Not all upstreams provide a signature - for the ones that do, I agree, we should use them. But it's at the maintainers to verify that there ARE signatures and use them.
Can you point me to a how-to or some documentation?
The infrastructure is ready - sigs are verified upon submission to Factory and as the package can't change there without a submission, it's gauranteed to stay valid (but can of cource be verified at any given point in time)
See the discussion here: [opensuse-factory] Build service and checksums for source code archive verification https://lists.opensuse.org/opensuse-factory/2016-08/msg00213.html
But coming back to the original scope of the mail - why automatic service runs are not allowed in Factory. I would have expected the whole community of package maintainers to step-up and grill me. Except Björn's comment I saw a mail from Oliver https://lists.opensuse.org/opensuse-factory/2016-08/msg00428.html complaining basically about the same fact.
So, if we dont have hard reasons to give away this nice feature , why cant we enable it by default? Or at least, not complain about it in factory?
For Factory it's a no-go: we have to guarantee that source will never change except by means of a submission from a devel project. With enabled services we risk that any given package might just 'updated to latest git master' (possibly involving user error, but still). You have to understand that any such thing would more than just invalidate the entire staging and pre-integration testing workflows we do.
For git, agree that may be an issue. For the packages I maintain there is a distinct version number, so it does not change 'by chance', only by purpose in the spec-file. I don't see that a service download would do harm
Services can be a great aid - but I don't see them fit in maintaining a project like Tumbleweed.
They can reduce workload dramatically: each supported version of Tryton (currently 6) has around 100 packages, where around 20% of them receive a monthly bugfix, resulting in a new minor version. Only 1 version should go to factory in the future, but the additional effort for local package handling does not really make me happy.... :-(
Viele Grüße Axel Braun
Well theoretically maintainers should test there new packages from the devel repo before submitting them to openSUSE:Factory so that an update that causes a crash on startup is caught and never sent to factory. As for the local handling if you changed your services to localonly you should be able to write a pretty simple bash script like below (not valid bash syntax because i'm lazy)to do the bulk of the work. for DIR in $Repo pushd $DIR osc vc -m "Scripted Version bump" osc commit -m "Scripted Version bump popd $DIR end Now someone can probably improve on that for example getting a sha256sum of the existing tarball running "osc build" to run the service then only updating the changelog and committing if there is a change would be much better, at that point some simple commandline magic might also be able to extract the version number to include in the commit message and changelog. That has the downside of needing to build everything locally though which may take time so "osc service" might be an answer I just didn't look at how to use it yet. -- Simon Lees (Simotek) http://simotek.net Emergency Update Team keybase.io/simotek SUSE Linux Adeliade Australia, UTC+9:30 GPG Fingerprint: 5B87 DB9D 88DC F606 E489 CEC5 0922 C246 02F0 014B