From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-dev+bounces-73648-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	by finch.gentoo.org (Postfix) with ESMTP id 861081384B4
	for <garchives@archives.gentoo.org>; Sun, 13 Dec 2015 17:37:53 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 7395521C0B5;
	Sun, 13 Dec 2015 17:37:23 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 90F4721C0B1
	for <gentoo-dev@lists.gentoo.org>; Sun, 13 Dec 2015 17:37:22 +0000 (UTC)
Received: from [192.168.178.23] (ip5f5af621.dynamic.kabel-deutschland.de [95.90.246.33])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	(Authenticated sender: patrick)
	by smtp.gentoo.org (Postfix) with ESMTPSA id E5DFB34092E
	for <gentoo-dev@lists.gentoo.org>; Sun, 13 Dec 2015 17:37:19 +0000 (UTC)
To: gentoo-dev@lists.gentoo.org
From: Patrick Lauer <patrick@gentoo.org>
Subject: [gentoo-dev] repo/gentoo.git, or how committing is challenging
Message-ID: <566DACB3.2010105@gentoo.org>
Date: Sun, 13 Dec 2015 18:36:51 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101
 Thunderbird/38.4.0
Precedence: bulk
List-Post: <mailto:gentoo-dev@lists.gentoo.org>
List-Help: <mailto:gentoo-dev+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-dev+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-dev+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-dev.gentoo.org>
X-BeenThere: gentoo-dev@lists.gentoo.org
Reply-to: gentoo-dev@lists.gentoo.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-Archives-Salt: 44b8504d-3096-4676-b3b3-f8f6d9d6bf8a
X-Archives-Hash: b860dc7576d9b428fa4fc17e6d6516d6

Oh hey. We're in the future. Let's try to commit something to
repo/gentoo.git!

So apparently we're signing things with gpg now, so let's read the
official documentation.
The [1] wiki seems to be the canonical location for such things.

Oh dear. The layout is VERY broken. See [2]. Which redirects to [3],
which is a duplicate of [4], which has been closed because apparently
the persons responsible don't understand how to internet.
Since this bug is only about a year old I don't expect any progress soon
- but fetching random crap from untrusted hosts is not a sane option.
Especially since there is already a webserver, which is also trusted, so
I'm confused why we're still having this conversation.

But hey, let's blindly fetch CSS from unknown, just to notice that this
'theme' needs JavaScript to display properly. Because reasons.

Why would I want to blindly execute code when reading the text of a
wiki? Because, reasons. Because, future!
Sigh. I'll just live with the breakage then.

But anyway, we find [5] the right document, and ... hit [6]. Can't
install, bug is over half a year old, so I have to consider upstream
dead. But we can easily patch the ebuild and somehow install
app-crypt/gkeys.

Well, we can install it, but won't be able to use it because [7][8] it's
TOFU. Totally Fine and Usable!
Nothing some random stabbing won't fix, eh, but now we're an hour in
just trying to get dependencies of dependencies installed.

Sigh.

Now that gkeys is out of the way, let's try to use gkeys-gen!
[9][10][11] Nope. Nope nope, you don't get to play!

So there's no way to actually *use* this software in the default config
(how was this ever released?!), and upstream has not fixed any of these
issues in almost a year. This parrot is an ex-parrot!


Let's capitulate, err, repudiate. Wait, wrong word. Recapitulate! That's
it. Let's recapitulate:

The official docs are running on an unmaintained broken platform. If you
manage to read them they are wrong. And the software to use has been
abandoned a year ago, but is still suggested as default in the docs.

Since signing is mandatory since the git migration, ahem, this means
that no one in the last 5 months(!) actually followed the documentation
(because that does NOT work!). I'm almost impressed, but, wow, this is
enterprisey.

So, what can we do to make this whole story of 'commit (and push) to
repo/gentoo.git' make sense? And why do I appear to be the only one to
notice this chain of breakage?!


[1] http://wiki.gentoo.org
[2] https://bugs.gentoo.org/show_bug.cgi?id=559530
[3] https://bugs.gentoo.org/show_bug.cgi?id=547536
[4] https://bugs.gentoo.org/show_bug.cgi?id=536744
[5]
https://wiki.gentoo.org/wiki/Project:Gentoo-keys/Generating_GLEP_63_based_OpenPGP_keys
[6] https://bugs.gentoo.org/show_bug.cgi?id=550848
[7] https://bugs.gentoo.org/show_bug.cgi?id=536338
[8] https://bugs.gentoo.org/show_bug.cgi?id=557090
[9] https://bugs.gentoo.org/show_bug.cgi?id=567768
[10] https://bugs.gentoo.org/show_bug.cgi?id=566782
[11] https://bugs.gentoo.org/show_bug.cgi?id=536316