openSUSE:ALP/Workgroups/Git-Packaging-Workflow/Minutes/20230628

Jump to: navigation, search

ALP: Build Service Git-Packaging Workflow

Meeting Wednesdays at 08:00 UTC in

https://meet.opensuse.org/alp-git-packaging-workflow

Next Meeting June 28th

Attendees

  • Dirk Mueller
  • Adrian Schroeder
  • Frederic Crozat
  • Ludwig Nussel
  • Adamm Majer
  • Matej Cepl

Discussion Items

  • Rollout for Factory
    • Sha256 or sha1 for rollout
    • Main concern is that the documentation of git says do not use in production - will change
    • If we can get confirmation that we’d have migration or on-disk stability we could go with sha256
    • sha1 is deprecated before end of alp according to NIST/other certification bodies recommendations
    • AI: dirk: ping supply chain security working group on recommendation
  • Adam: fyi Git hooks are not copied from server to client so does not help with “git lfs init” issue
    • Sounds like “osc” needs to be extended to handle lfs hook initialization / check
    • Server side hook on git push could validate that the hooks were installed
    • adrian: there is some obs/osc indepedend tooling to initialize/update git repos here: https://src.opensuse.org/adrianSuSE/obs-git-init.git
  • local osc build (or its equivalent): all present expressed their support for keeping it around (some using very strong language)

Action Items

Old Action Items

  • AI: snbarth: write up support level for ALP handling (with container native OS - do we still need it on a package by package level)
  • AI: dirk: write up status of prototype and share it with the group
  • AI adamm: look at how a git signature policy evaluation could be implemented based on adam’s multi-signature signing approach