[gentoo-dev] [RFC] Make manifest signatures mandatory for repoman commit

[gentoo-dev] [RFC] Make manifest signatures mandatory for repoman commit

[Andrew Savchenko]

[-- Attachment #1: Type: text/plain, Size: 506 bytes --]

Hi,

why manifest signatures are still optional for repoman?

Repoman signatures are currently optional and this creates nasty
consequences: if signing errors occurs, repoman still proceeds :/

I just had a phone call during repoman commit and was not able to
type my password. Due to gpg-agent timeout repoman completed commit
without a signature :( Should signatures be mandatory, repoman will
bail out on such conditions and devs can recommit again safely.

Best regards,
Andrew Savchenko

[-- Attachment #2: Type: application/pgp-signature, Size: 819 bytes --]

Re: [gentoo-dev] [RFC] Make manifest signatures mandatory for repoman commit

[Michał Górny]

[-- Attachment #1: Type: text/plain, Size: 902 bytes --]

Dnia 2015-04-15, o godz. 11:59:12
Andrew Savchenko <bircoph@gentoo.org> napisał(a):

> Hi,
> 
> why manifest signatures are still optional for repoman?
> 
> Repoman signatures are currently optional and this creates nasty
> consequences: if signing errors occurs, repoman still proceeds :/
> 
> I just had a phone call during repoman commit and was not able to
> type my password. Due to gpg-agent timeout repoman completed commit
> without a signature :( Should signatures be mandatory, repoman will
> bail out on such conditions and devs can recommit again safely.

This is problem with the CVS two-commit procedure. The only solution is
to stop using CVS keywords which people don't want to do because THEY
ARE SO VERY USEFUL.

Or make repoman do first commit without Manifest, so instead of
unsigned Manifest you'd have Manifest failure.

-- 
Best regards,
Michał Górny

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 949 bytes --]

Re: [gentoo-dev] [RFC] Make manifest signatures mandatory for repoman commit

[Andrew Savchenko]

[-- Attachment #1: Type: text/plain, Size: 1195 bytes --]

On Wed, 15 Apr 2015 11:06:22 +0200 Michał Górny wrote:
> Dnia 2015-04-15, o godz. 11:59:12
> Andrew Savchenko <bircoph@gentoo.org> napisał(a):
> 
> > Hi,
> > 
> > why manifest signatures are still optional for repoman?
> > 
> > Repoman signatures are currently optional and this creates nasty
> > consequences: if signing errors occurs, repoman still proceeds :/
> > 
> > I just had a phone call during repoman commit and was not able to
> > type my password. Due to gpg-agent timeout repoman completed commit
> > without a signature :( Should signatures be mandatory, repoman will
> > bail out on such conditions and devs can recommit again safely.
> 
> This is problem with the CVS two-commit procedure. The only solution is
> to stop using CVS keywords which people don't want to do because THEY
> ARE SO VERY USEFUL.
> 
> Or make repoman do first commit without Manifest, so instead of
> unsigned Manifest you'd have Manifest failure.

Is there any way to commit manifest first, then the rest of the
files? Of course there may be a network failure in-between, but
this should easily fixable with one more repoman commit run.


Best regards,
Andrew Savchenko

[-- Attachment #2: Type: application/pgp-signature, Size: 819 bytes --]

Re: [gentoo-dev] [RFC] Make manifest signatures mandatory for repoman commit

[Ulrich Mueller]

[-- Attachment #1: Type: text/plain, Size: 719 bytes --]

>>>>> On Wed, 15 Apr 2015, Michał Górny wrote:

> This is problem with the CVS two-commit procedure. The only solution
> is to stop using CVS keywords which people don't want to do because
> THEY ARE SO VERY USEFUL.

> Or make repoman do first commit without Manifest, so instead of
> unsigned Manifest you'd have Manifest failure.

But that's what it does. It commits all other files, then it signs the
Manifest and commits that.

However, if signing fails it will commit an unsigned Manifest. Which I
think is a misfeature. If I have FEATURES=sign then I want to commit
a signed Manifest. If there are problems, repoman should error out but
not do some other action that I've not asked for.

Ulrich

[-- Attachment #2: Type: application/pgp-signature, Size: 490 bytes --]

Re: [gentoo-dev] [RFC] Make manifest signatures mandatory for repoman commit

[Jason Zaman]

On Wed, Apr 15, 2015 at 12:27:08PM +0300, Andrew Savchenko wrote:
> On Wed, 15 Apr 2015 11:06:22 +0200 Michał Górny wrote:
> > Dnia 2015-04-15, o godz. 11:59:12
> > Andrew Savchenko <bircoph@gentoo.org> napisał(a):
> > 
> > > Hi,
> > > 
> > > why manifest signatures are still optional for repoman?
> > > 
> > > Repoman signatures are currently optional and this creates nasty
> > > consequences: if signing errors occurs, repoman still proceeds :/
> > > 
> > > I just had a phone call during repoman commit and was not able to
> > > type my password. Due to gpg-agent timeout repoman completed commit
> > > without a signature :( Should signatures be mandatory, repoman will
> > > bail out on such conditions and devs can recommit again safely.
> > 
> > This is problem with the CVS two-commit procedure. The only solution is
> > to stop using CVS keywords which people don't want to do because THEY
> > ARE SO VERY USEFUL.
> > 
> > Or make repoman do first commit without Manifest, so instead of
> > unsigned Manifest you'd have Manifest failure.
> 
> Is there any way to commit manifest first, then the rest of the
> files? Of course there may be a network failure in-between, but
> this should easily fixable with one more repoman commit run.

no. the problem is that all the files change when they are committed.
the $ Header: xxxxx $ line has the commit time and stuff. so the two
phase first commits all the ebuilds and everything then when the lines
are fixed it re-makes the manifest and commits.

I dont think it can be fixed without getting rid of the $Header$ line.
I'd be all for it, those lines seem like more trouble than its worth to me.

-- Jason

Re: [gentoo-dev] [RFC] Make manifest signatures mandatory for repoman commit

[Rich Freeman]

On Wed, Apr 15, 2015 at 5:58 AM, Jason Zaman <perfinion@gentoo.org> wrote:
> I dont think it can be fixed without getting rid of the $Header$ line.
> I'd be all for it, those lines seem like more trouble than its worth to me.

Those problems cause headaches all over the place.  I'll be very happy
to see them go when we migrate to git.  If somebody wants to get rid
of them sooner, they're more than welcome as far as I'm concerned.

-- 
Rich

Re: [gentoo-dev] [RFC] Make manifest signatures mandatory for repoman commit

[Ian Stakenvicius]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 15/04/15 05:49 AM, Ulrich Mueller wrote:
>>>>>> On Wed, 15 Apr 2015, Michał Górny wrote:
> 
>> This is problem with the CVS two-commit procedure. The only
>> solution is to stop using CVS keywords which people don't want to
>> do because THEY ARE SO VERY USEFUL.
> 
>> Or make repoman do first commit without Manifest, so instead of 
>> unsigned Manifest you'd have Manifest failure.
> 
> But that's what it does. It commits all other files, then it signs
> the Manifest and commits that.
> 
> However, if signing fails it will commit an unsigned Manifest.
> Which I think is a misfeature. If I have FEATURES=sign then I want
> to commit a signed Manifest. If there are problems, repoman should
> error out but not do some other action that I've not asked for.
> 
> Ulrich
> 

Couldn't repoman sign a copy of the Manifest first (even if it's
staged in temporary space somewhere), then either do it all in one
commit or do the same two-stage commit it does now??  At least that
would allow it to catch gpg errors and abort.



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iF4EAREIAAYFAlUualoACgkQ2ugaI38ACPCV7wEAuziEMB5clCZYzt/ztL9LXDtj
XRaxgLP0/usM0yaOqMkA+wRx2LQEGlNnfQhV0e/SMc1kACx3tYoRVvFZxJTv12OT
=1dae
-----END PGP SIGNATURE-----

Re: [gentoo-dev] [RFC] Make manifest signatures mandatory for repoman commit

[Ian Stakenvicius]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 15/04/15 09:40 AM, Ian Stakenvicius wrote:
> On 15/04/15 05:49 AM, Ulrich Mueller wrote:
>>>>>>> On Wed, 15 Apr 2015, Michał Górny wrote:
> 
>>> This is problem with the CVS two-commit procedure. The only 
>>> solution is to stop using CVS keywords which people don't want
>>> to do because THEY ARE SO VERY USEFUL.
> 
>>> Or make repoman do first commit without Manifest, so instead of
>>>  unsigned Manifest you'd have Manifest failure.
> 
>> But that's what it does. It commits all other files, then it
>> signs the Manifest and commits that.
> 
>> However, if signing fails it will commit an unsigned Manifest. 
>> Which I think is a misfeature. If I have FEATURES=sign then I
>> want to commit a signed Manifest. If there are problems, repoman
>> should error out but not do some other action that I've not asked
>> for.
> 
>> Ulrich
> 
> 
> Couldn't repoman sign a copy of the Manifest first (even if it's 
> staged in temporary space somewhere), then either do it all in one 
> commit or do the same two-stage commit it does now??  At least
> that would allow it to catch gpg errors and abort.

Nevermind, I follow the issue with the keywords now...

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iF4EAREIAAYFAlUuaykACgkQ2ugaI38ACPDWEQD/TX233xLS5CKkaikTSPEBaaNO
ouaMvTubvt4LB+Vjdg0BALUgQD6be9hoj/c5IeFVED5X6WnLdlAbNnOLoUdn6kX0
=IreG
-----END PGP SIGNATURE-----