ALP: Build Service Git-Packaging Workflow

Meeting Wednesdays at 08:00 UTC in

Next Meeting June 28th

Attendees

Rollout for Factory
- Sha256 or sha1 for rollout
- Main concern is that the documentation of git says do not use in production - will change
- If we can get confirmation that we’d have migration or on-disk stability we could go with sha256
- sha1 is deprecated before end of alp according to NIST/other certification bodies recommendations
- AI: dirk: ping supply chain security working group on recommendation
Adam: fyi Git hooks are not copied from server to client so does not help with “git lfs init” issue
- Sounds like “osc” needs to be extended to handle lfs hook initialization / check
- Server side hook on git push could validate that the hooks were installed
- adrian: there is some obs/osc indepedend tooling to initialize/update git repos here: https://src.opensuse.org/adrianSuSE/obs-git-init.git
local osc build (or its equivalent): all present expressed their support for keeping it around (some using very strong language)

Action Items

AI: snbarth: write up support level for ALP handling (with container native OS - do we still need it on a package by package level)
AI: dirk: write up status of prototype and share it with the group
AI adamm: look at how a git signature policy evaluation could be implemented based on adam’s multi-signature signing approach