openSUSE:ALP/Workgroups/Git-Packaging-Workflow/Minutes/20230628
ALP: Build Service Git-Packaging Workflow
Meeting Wednesdays at 08:00 UTC in
https://meet.opensuse.org/alp-git-packaging-workflow
Next Meeting June 28th
Attendees
- Dirk Mueller
- Adrian Schroeder
- Frederic Crozat
- Ludwig Nussel
- Adamm Majer
- Matej Cepl
Discussion Items
- Rollout for Factory
- Sha256 or sha1 for rollout
- Main concern is that the documentation of git says do not use in production - will change
- If we can get confirmation that we’d have migration or on-disk stability we could go with sha256
- sha1 is deprecated before end of alp according to NIST/other certification bodies recommendations
- AI: dirk: ping supply chain security working group on recommendation
- Adam: fyi Git hooks are not copied from server to client so does not help with “git lfs init” issue
- Sounds like “osc” needs to be extended to handle lfs hook initialization / check
- Server side hook on git push could validate that the hooks were installed
- adrian: there is some obs/osc indepedend tooling to initialize/update git repos here: https://src.opensuse.org/adrianSuSE/obs-git-init.git
- local osc build (or its equivalent): all present expressed their support for keeping it around (some using very strong language)
Action Items
Old Action Items
- AI: snbarth: write up support level for ALP handling (with container native OS - do we still need it on a package by package level)
- AI: dirk: write up status of prototype and share it with the group
- AI adamm: look at how a git signature policy evaluation could be implemented based on adam’s multi-signature signing approach