Open Stack

On 02/09/2013 10:13 PM, Thomas Goirand wrote:
> On 02/10/2013 05:18 AM, Monty Taylor wrote:
>>
>>
>> On 02/09/2013 02:17 PM, Mark McLoughlin wrote:
>>> Hi Thomas,
>>>
>>> On Sun, 2013-02-10 at 01:41 +0800, Thomas Goirand wrote:
>>>> As you may know, I am the person doing the packaging of Openstack in
>>>> Debian. So uploading stuff in Debian is my responsibility. I've been
>>>> trying to shout to everyone that they should be using PGP signed tags on
>>>> Github, but the message doesn't seem to be received well enough, even
>>
>> (small nit - this should be "PGP signed tags in git" - github has
>> nothing to do with it)
> 
> Yeah! It just happens that absolutely all of Openstack (including python
> modules) is hosted on github! :)

Hehe. I'm just being pedantic because OpenStack is hosted at
review.openstack.org and mirrored to github. I'm continuing on about it
because it relates to some of your questions below.

> But you are right, if it was hosted somewhere else, I would ask the same
> thing.
> 
>> I agree with Thomas that we should always sign tags in our projects -
>> especially now that we're using those tags as the basis for automated
>> releases.
> 
> And also: we don't use release tarballs in Debian, just the tags.

Interesting. I'd like to discuss your workflow at some point.

>> We've discussed putting in checks for signed tags vs. unsigned when we
>> do releases from tags
> 
> Unfortunately, this wont work, because the non-signed tags I've found
> where mostly on non-core projects (eg: python modules). So there's only
> one thing to do: educate everyone to use GnuPG and git tag -s.

If we decided to enforce that, we could enforce it across every project,
including the libraries and even random stackforge project if we wanted
to. One of the nice things about our gerrit setup and the gating
infrastructure is that it allows us to do a bunch of cool stuff.

That said - actions taken on tags are operations that do not have an
associated code review related to them, so having zuul report back to
people that it rejected taking an action on their non-signed tag would
be a bit tricky.

So at the end of the day, I agree with your assessment - "educate
everyone to use GnuPG and git tag -s."

>> but I think that it might be harder to implement
>> than the benefit - especially since it's a small set of people already
>> who can push tags.
> 
> Do you know how to automate this kind of checks (besides doing git tag
> -v <tag-name>)? Please share if you have some magic scripts, so that I
> could incorporate this in openstack-pkg-tools debian/rules targets.

No, git tag -v <tag-name> would be the basis of it. My main thought was
that, since we have things that publish tarballs and take other actions
when someone pushes a tag, we could put in filters that respond to only
valid tags.

However, that would not prevent someone from pushing a non-valid tag.

I keep dreaming of adding an interface to gerrit where tags are things
that can be proposed and reviewed - because then we'd have a good way to
validate signed tags... but I'm really not sure this is worth the effort.

Education, I believe, is the way to go. :)

Monty