From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: <gentoo-project+bounces-3996-garchives=archives.gentoo.org@lists.gentoo.org> Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 993AF13838B for <garchives@archives.gentoo.org>; Thu, 2 Oct 2014 23:06:39 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 68DEFE086B; Thu, 2 Oct 2014 23:06:38 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id CA06EE081E for <gentoo-project@lists.gentoo.org>; Thu, 2 Oct 2014 23:06:37 +0000 (UTC) Received: from pomiot.lan (mgorny-1-pt.tunnel.tserv28.waw1.ipv6.he.net [IPv6:2001:470:70:353::2]) (using SSLv3 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: mgorny) by smtp.gentoo.org (Postfix) with ESMTPSA id E7994340393; Thu, 2 Oct 2014 23:06:35 +0000 (UTC) Date: Fri, 3 Oct 2014 01:06:29 +0200 From: =?ISO-8859-2?B?TWljaGGzIEfzcm55?= <mgorny@gentoo.org> To: Rich Freeman <rich0@gentoo.org> Cc: gentoo-project@lists.gentoo.org Subject: Re: [gentoo-project] Re: Call for Council Agenda Items - 14 Oct 2014 Message-ID: <20141003010629.27a1f25f@pomiot.lan> In-Reply-To: <CAGfcS_k3gY9Q=gJZcpXtXFnxyk59L=d6hFX4D=5b6tdKQC4Qcg@mail.gmail.com> References: <CAGfcS_m5cWLG_94-KMqaGef5JU-zr8-oJzjd4Q8QSAk=34QeeQ@mail.gmail.com> <CAGfcS_k3gY9Q=gJZcpXtXFnxyk59L=d6hFX4D=5b6tdKQC4Qcg@mail.gmail.com> Organization: Gentoo X-Mailer: Claws Mail 3.10.1 (GTK+ 2.24.24; x86_64-pc-linux-gnu) Precedence: bulk List-Post: <mailto:gentoo-project@lists.gentoo.org> List-Help: <mailto:gentoo-project+help@lists.gentoo.org> List-Unsubscribe: <mailto:gentoo-project+unsubscribe@lists.gentoo.org> List-Subscribe: <mailto:gentoo-project+subscribe@lists.gentoo.org> List-Id: Gentoo Project discussion list <gentoo-project.gentoo.org> X-BeenThere: gentoo-project@lists.gentoo.org Reply-To: gentoo-project@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; boundary="Sig_/STYNzmtghDdhS6BKURj7IhO"; protocol="application/pgp-signature" X-Archives-Salt: c4a248b5-af0c-4c12-a1a1-ee9bd5d92973 X-Archives-Hash: 0d765dec084a772716020b1577eb61cf --Sig_/STYNzmtghDdhS6BKURj7IhO Content-Type: text/plain; charset=ISO-8859-2 Content-Transfer-Encoding: quoted-printable Dnia 2014-10-01, o godz. 13:30:55 Rich Freeman <rich0@gentoo.org> napisa=B3(a): > On Tue, Sep 30, 2014 at 10:08 PM, Rich Freeman <rich0@gentoo.org> wrote: > > If you'd like to contribute another agenda item, please reply to this e= mail. >=20 > I'll offer up a further topic for the git migration. I think that there are a few issues that the Council may actually want to discuss. 1. Security ----------- Right now, all the 'mainline' commits in dev repo need to be signed by Gentoo developers. However, the 'B' (and further) branches of merge commits are allowed to be unsigned (or signed using non-Gentoo key) -- which makes it possible to merge pull requests while preserving original commits. We have server-side verification of signatures on pushes; we don't have portage-side verification of incoming commits but I don't think that's a major blocker. The user syncing repo uses merge commits to preserve original dev tree signatures. Both the merges and extra metadata commits are signed using automated signing key. The rsync repository contains thick Manifests signed using automated signing key. Here, the signature verification is implemented completely in Portage. We may want to use MetaManifests in the future but I doubt that would be a blocker. Also, the gentoo-keys project mentioned that we are disallowing Gentoo developers to push commits signed using another developer's key. Not sure if that's something really beneficial, so Council may want to revisit that as well. And anyway, we always have merge commits for double-signing. 2. ChangeLogs ------------- The matter of ChangeLogs is still not entirely clear. Right now, we are removing them completely and keeping old ones in history. From a little insight we did, users are completely content with having the access to history of changes via the historical repo and/or gitweb/cgit/github/... The fact is that most of those tools provide much better and more complete tools for analyzing changes than ChangeLogs had. In particular, this means that changes are supposed to be described properly in commit messages. In case of necessity, 'git notes' can be used to amend the messages. It is possible to generate ChangeLogs in rsync. However, this seems mostly pointless (and unnecessarily complex to implement) since most of the users don't use them, and for the remaining uses cases they are not good enough. Especially that we have git syncing repo that preserves post-migration history, including commit messages and ability to lookup the changes. 3. CVS Headers -------------- The hateful thing. We could supposedly somehow fill them in rsync but that's complex and very dangerous (think of all the broken patch files currently in gx86). I think we should kill them. And while at it, I think it'd be good to actually remove most of them from our files -- changing header templates and so on. While not strictly useful, it decreases the size of the repo a bit and avoids any future nightmares :). --=20 Best regards, Micha=B3 G=F3rny --Sig_/STYNzmtghDdhS6BKURj7IhO Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQJ8BAEBCgBmBQJULdp1XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2REJCMDdDQzRGMERBRDA2RUEwQUZFNDFC MDdBMUFFQUVGQjQ0NjRFAAoJELB6GurvtEZO82YQAMlfST2gfvAEvnfMNU59aHNG L5UBHuld357Tvyj3XIYec/bTeJ900T+u8Bf66IG2nJ7nV1xyDlhiRofrd5oeGKz7 eE8i8WDEn30mwdQ4eGhJFr8asyfqJ2yMFw7K2oz3NB0tZPoRaTwJo2vXoimqOCIA oETQQQhrsGEkbK260fwxiCYxpBF7Gq83c7oTI7Jd1ApgQYcMRs8J+z3ke6cUZuuj XRkiRWwz1XDALwJHrlM1chxtuV1kpc+VLd+O+6di/qG+C1cgXnlUvi8JpGJV/mrs v20caFIxt5O8iEyxPq9binHK9v4/IpQch0C05pzUkk295ZsH9niDrxBqNVP7O6fp pwr0LRTklgIk2/OdpIRz/S0NdlgryQFl51F/SNBi+oIAWqHArCf1ab6qQoKYZWYg u4qd6xMuzlprdZF8ZPX79yMNfgM7kx6XB3gqg8PKhQil6aH7JapwAjaPoOpxBWdI IPXRf0wS04lTSp7QiZyPV03byvtP7oTAYrvD44Qp1g+eh8VvWSElwuyfC5Q+77Ie DPHeJUKpGaX0dk/TA8U3u5KGH+Fl05k0yMWycD6gs2ANvskpsLWSZUBVAX40qxae C/h++D7IVHIatZQpcyhRpkntQyYInQ+bydjMAqgr72MP/QZVHYb+DBYcPflRgD7H IvUAaQlwO4QftIGku9KB =8uFg -----END PGP SIGNATURE----- --Sig_/STYNzmtghDdhS6BKURj7IhO--