[gentoo-dev] signing with proxied maintainers

[gentoo-dev] signing with proxied maintainers

[Mike Frysinger]

once we move to git, the workflow for proxy maintainers is going to be
a lot smoother.  the question is how to handle signing with proxy
maintainers.

it would be nice if said proxied maintainers would sign things and
that would be preserved all the way to the push to the common server.
pros:
 - Gentoo dev doing the proxy can pull, look at the commits, and then push
cons:
 - proxied maintainers need to set up pgp too
 - we need to have another list of keys to accept outside of the
existing Gentoo dev list
 - easy to miss if commit was made through repoman, or on an older tree

the other method would be that a Gentoo dev pulls the changesets and
then runs `repoman commit` himself.
pros:
 - proxied maintainers need not think of pgp at all
 - we only need the original Gentoo dev key list
 - the Gentoo dev knows immediately if there's a repoman problem
cons:
 - workflow not as smooth

i thinking about this last bit, i wonder if that could simply be
addressed in repoman itself ?  we could add a "repoman push" command
that compared the remote branch to the local one to find out all the
packages that have been updated, go into each one and rebuild just the
Manifest, and then do the `git push`.
-mike

Re: [gentoo-dev] signing with proxied maintainers

[Dane Smith]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/25/11 17:02, Mike Frysinger wrote:
> once we move to git, the workflow for proxy maintainers is going to be
> a lot smoother.  the question is how to handle signing with proxy
> maintainers.
> 
> it would be nice if said proxied maintainers would sign things and
> that would be preserved all the way to the push to the common server.
> pros:
>  - Gentoo dev doing the proxy can pull, look at the commits, and then push
> cons:
>  - proxied maintainers need to set up pgp too
>  - we need to have another list of keys to accept outside of the
> existing Gentoo dev list
>  - easy to miss if commit was made through repoman, or on an older tree
> 
> the other method would be that a Gentoo dev pulls the changesets and
> then runs `repoman commit` himself.
> pros:
>  - proxied maintainers need not think of pgp at all
>  - we only need the original Gentoo dev key list
>  - the Gentoo dev knows immediately if there's a repoman problem
> cons:
>  - workflow not as smooth
> 
> i thinking about this last bit, i wonder if that could simply be
> addressed in repoman itself ?  we could add a "repoman push" command
> that compared the remote branch to the local one to find out all the
> packages that have been updated, go into each one and rebuild just the
> Manifest, and then do the `git push`.
> -mike
> 

- From my point of view, we should be using something close to the second
one regardless. Dev's should be checking the works of proxy committers
anyway, so running repoman should already be part of that workflow.

Secondly, I like that last idea. Except I'd amend that it should run
repoman full; warn if anything is wrong, then repoman manifest etc.

- -- 
Dane Smith (c1pher)
Gentoo Linux Developer -- QA / Crypto / Sunrise / x86
RSA Key: http://pgp.mit.edu:11371/pks/lookup?search=0x0C2E1531&op=index
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJNjQkzAAoJEEsurZwMLhUxiSoP/1Gdxyo2Li43gcSU2piYZZJq
4DJyujm9NypKrtmQTZuGxRnIsnikBqigKZHBBkDZB3Qw6xZ3vzXrudz7knsREP1H
BCoinT0G/v8BdiauqIwt7e9kb0qW/NSalTZMd7wRs6oLqfL0UfK2dI0ubHUYw/ag
bS3E5TfzoKY0KYYAWjXoztyXb5cHA1+H9O2kuWOqJDyHRmYijrnj55spTST0D4my
n2gL3rpZMfnfQJskyvt6o/NUqLakekdITrJeCuiOY9fSEORgZYlsu5R9oTPCRv9p
qnLzncwWgUhYh7g99xMMC+JkAPcItxe8nkcfP9GIf6zM8ai1pRbhV7iYqJbunTlA
ZvsgCjk99tS+qkmTIZsMOcGQZg9D33Y+Yb0DGILmoCVybvse50HAMyGzir6rn+s2
UzKLtAkj2gHTYkEw6KwngUXRr7VtMfk8exzpu3OYwiOAsz1RP+wfExeXetcYU6wK
fhfHbqXiBXOU5FbZ96MMnsl+Qs8A8So2+93JbHiG7oHdWZ85E/snI35Z6/WEUsvr
jxZrTuzH+TTGu3cFSHjCt2Ugn6t9tF4Fi67W+MoHX5avgHyrE/WSe+QiRsquB5oh
W411aMHAJAdyfDcH87WRMVKIRuUAy0tTT9qzAtiu7/tJnaKt9Chg0Awbk0meiFmz
p1FBIzzv6bJATmFPF8Hd
=ZUSv
-----END PGP SIGNATURE-----