Hey! I actually wonder if the approach with config flag to mark checkouts as safe should be applied more generally, when zuul preps repos for usage, instead of hook in devstack specifically. As it's a more general issue, since zuul repos can't be used as is now for other projects as well (limited to devstack). ср, 13 апр. 2022 г. в 09:14, Ian Wienand <iwienand@redhat.com>:
On Tue, Apr 12, 2022 at 05:05:22PM -0700, Michael Johnson wrote: 65;6602;1c> tldr: All devstack based jobs are going to fail with newer versions of
git - don't bother rechecking
git has released a security fix [1] that is starting to roll out in distributions (Ubuntu focal for example) that will cause pbr to be unable to access the package metadata for packages checked out locally due to the directory ownership used in devstack.
This turns out to be annoyingly complicated.
Since devstack checks out all code as "stack" and then installs globally with "sudo pip install -e ...", pbr will be running in a directory owned by "stack" as root and its git calls will hit this failure.
If we make the code directories owned by root, we now have additional problems. Several places do things in the code repositories -- e.g. setup virtualenvs, run ./tools/*.sh scripts to generate sample config files and run tox as "stack" (tox then tries to install the source tree in it's virtualenv -- if it's owned by root -- again -- failure).
I explored a bunch of these options in
https://review.opendev.org/c/openstack/devstack/+/837636
and anyone feel free to take over that and keep trying.
The other option is to use the new config flag to mark our checkouts as safe. This is obviously simpler, but it seems like a very ugly thing for a nominally generic tool like devstack to do to your global git config. This is done with
https://review.opendev.org/c/openstack/devstack/+/837659
and appears to work; but will need backporting for grenade if we want to take this path.
When this kicked off I sent in a link to HN thinking that thanks to our very upstream focused CI we were likely some of the first to hit this; it's currently the top post so I think that is accurate that this is having wide impact:
https://news.ycombinator.com/item?id=31009675
It is probably worth keeping one eye on upstream for any developments that might change our options.
-i