On Tue, Apr 12, 2022 at 05:05:22PM -0700, Michael Johnson wrote: 65;6602;1c> tldr: All devstack based jobs are going to fail with newer versions of
git - don't bother rechecking
git has released a security fix [1] that is starting to roll out in distributions (Ubuntu focal for example) that will cause pbr to be unable to access the package metadata for packages checked out locally due to the directory ownership used in devstack.
This turns out to be annoyingly complicated. Since devstack checks out all code as "stack" and then installs globally with "sudo pip install -e ...", pbr will be running in a directory owned by "stack" as root and its git calls will hit this failure. If we make the code directories owned by root, we now have additional problems. Several places do things in the code repositories -- e.g. setup virtualenvs, run ./tools/*.sh scripts to generate sample config files and run tox as "stack" (tox then tries to install the source tree in it's virtualenv -- if it's owned by root -- again -- failure). I explored a bunch of these options in https://review.opendev.org/c/openstack/devstack/+/837636 and anyone feel free to take over that and keep trying. The other option is to use the new config flag to mark our checkouts as safe. This is obviously simpler, but it seems like a very ugly thing for a nominally generic tool like devstack to do to your global git config. This is done with https://review.opendev.org/c/openstack/devstack/+/837659 and appears to work; but will need backporting for grenade if we want to take this path. When this kicked off I sent in a link to HN thinking that thanks to our very upstream focused CI we were likely some of the first to hit this; it's currently the top post so I think that is accurate that this is having wide impact: https://news.ycombinator.com/item?id=31009675 It is probably worth keeping one eye on upstream for any developments that might change our options. -i