Open Stack

On 2023-01-23 17:18:27 -0800 (-0800), Michael Johnson wrote:
[...]
> Historically part of the project creation steps required us to
> already have the PyPi projects setup[1] prior to attempting to
> become an OpenStack project. The "Project Creator Guide" (Which is
> no longer part of or linked from the OpenStack documentation[2],
> so maybe we aren't accepting new projects to OpenStack?) then had
> us add "openstackci" to the project if we were opting to have the
> release team release our packages. This is not a documented
> requirement that I am aware of and may be a gap caused by the
> openinfra split.
[...]

It was removed because it became increasingly impossible to describe
reliably. The maintainers for Warehouse (the software which
currently implements PyPI) removed the old registration Web form and
API methods which allowed pre-creation of projects in order to try
to curb name squatting, but also made it so new projects are created
automatically at initial upload. This means that in order to
pre-create a project on PyPI these days, you have to manually create
a minimal package and upload it. This became a significant blocker
to people trying to add release jobs, so we made the decision to
rely on release automation for project creation and advise new
projects to tag or request an alpha release as early as possible in
their formation.

> 1. We PGP sign these releases with an OpenStack key, but we don't
> upload the .asc file with the packages to PyPi. Why don't we do this
> to help folks have an easy way to validate that the package came from
> the OpenStack releases process?
[...]

I wanted to do this from the very beginning, but the (then
Cheeseshop, later Warehouse) maintainers repeatedly insisted that
their opinion was the signature uploads provided no security benefit
and they kept saying they were planning to remove that feature any
day. Also during the transition from Cheeseshop to Warehouse, there
was a span of several years where you could upload signatures but
the WebUI didn't link to them anywhere so users couldn't easily find
them anyway. When it became clear that work on PEP 458 had stalled
out, they relented and made signatures accessible through Warehouse,
but kept saying that was only a temporary measure which would be
removed as soon as TUF was in place.

> 2. With these signatures, we can automate tools to validate that
> releases were signed by the OpenStack release process and raise an
> alert if they are invalid.
[...]

We already upload them to tarballs.openstack.org and link them from
the pages on releases.openstack.org, which should be sufficient to
enable what you describe anyway without needing to also publish
signatures to PyPI (the insistence that PyPI was removing signature
uploading was a primary factor in our choice to continue hosting our
own copies of release artifacts in the first place, for precisely
this purpose).

> I think we have some options to consider beyond the "remove everyone
> but openstackci from the project" or "kick the project out of
> OpenStack"[3].
[...]

In the case of the project which triggered this discussion, it
wasn't so much kicked out of OpenStack as the people in OpenStack
with joint access to upload releases for it acknowledged that not
everyone who was publishing releases wanted to do so from within
OpenStack, so it's being relinquished to the other maintainers and
OpenStack will carry a fork instead if it becomes necessary to do
so in order to not have two different "official" sources of truth
for one package.
-- 
Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: not available
URL: <https://lists.openstack.org/pipermail/openstack-discuss/attachments/20230124/6a1067a0/attachment.sig>