Jump to: navigation, search

ALP: Build Service Git-Packaging Workflow

Meeting Wednesdays at 08:00 UTC in

Next Meeting June 28th


  • Dirk Mueller
  • Adrian Schroeder
  • Frederic Crozat
  • Ludwig Nussel
  • Adamm Majer
  • Matej Cepl

Discussion Items

  • Rollout for Factory
    • Sha256 or sha1 for rollout
    • Main concern is that the documentation of git says do not use in production - will change
    • If we can get confirmation that we’d have migration or on-disk stability we could go with sha256
    • sha1 is deprecated before end of alp according to NIST/other certification bodies recommendations
    • AI: dirk: ping supply chain security working group on recommendation
  • Adam: fyi Git hooks are not copied from server to client so does not help with “git lfs init” issue
    • Sounds like “osc” needs to be extended to handle lfs hook initialization / check
    • Server side hook on git push could validate that the hooks were installed
    • adrian: there is some obs/osc indepedend tooling to initialize/update git repos here:
  • local osc build (or its equivalent): all present expressed their support for keeping it around (some using very strong language)

Action Items

Old Action Items

  • AI: snbarth: write up support level for ALP handling (with container native OS - do we still need it on a package by package level)
  • AI: dirk: write up status of prototype and share it with the group
  • AI adamm: look at how a git signature policy evaluation could be implemented based on adam’s multi-signature signing approach