Open Stack

On 2015-06-01 12:04:34 +0200 (+0200), Thierry Carrez wrote:
> Thierry Carrez wrote:
[...]
> > 2. it would be difficult to get proper release notes
> > 
> > If we don't have point releases anymore, we don't have release notes
> > anymore. Release notes contain various types of information: the list of
> > security fixes, the occasional upgrade warning, and the list of bugfixes.
> 
> We'd probably have to find a way to provide the same information in the
> tarball itself, so that if you picked any of them you could still get a
> list of the fixes in there.
[...]

PBR has the ability to generate a ChangeLog as part of the sdist
tarball generation. If the ChangeLog itself isn't suitable, we could
do something akin to what Doug described about scraping commit
messages for particular specially-formatted header lines and then
maybe have a separate release notes sdist hook in PBR. Or we could
just expect projects to update a release notes file in that repo on
any stable branch change which implies some action on the part of
the downstream consumers.

As to the separate concern raised by a couple of respondents for a
lack of signatures on stable branch tarballs (be they per-commit or
arbitrarily tagged by their respective project teams), I've been
itching to implement some mechanical generation of detached
signatures to publish along with artifacts uploaded to
tarballs.openstack.org and PyPI anyway. We could presumably leverage
that. It wouldn't be a human signature, just a signature made by a
trusted host in the infrastructure build chain whose key was signed
by some of the infrastructure root admins, but would at least attest
to the integrity of the file once uploaded to the point of
publication.
-- 
Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: Digital signature
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150601/257ba276/attachment.pgp>