:: [devuan-dev] Devuan Notes for Aug 1…
トップ ページ
このメッセージを削除
このメッセージに返信
著者: golinux
日付:  
To: devuan-dev
題目: [devuan-dev] Devuan Notes for Aug 16(17) 2017
Devuan Notes for Aug 16(17) 2017

Pad:
https://pad.dyne.org/code/#/1/edit/nVuY1HnoWtgH6bmSyrWKxQ/tBEct7e9LKxhIY4Rx7I7dfJN

Present: Centurion, Evilham, fsmithred, rrq, golinux, dimitsos (pad,
irc), NewGnuGuy (observing)

Missing: The usual suspects.

## Infrastructure discussion (priority)

-
https://pad.dyne.org/code/#/1/edit/usQoFADFDsJ9UAFbVm0H7A/FPGyscaoxWTAqqgscT1bw7VA

## Build improvements discussion

-
https://pad.dyne.org/code/#/1/edit/nXiySd0FPHvG8pBgGgImxA/aJ87TdwIEWiIk96GZcFwypnb

## Centurion Dan
It feels to me like we have a number of key issues in play:

1) How to allow other distributions to use our CI system without
compromising on security? To me there are several factors to consider:

      a) What benefit does hosting each of these other distributions
bring to Devuan and does that benefit offset the cost of resources
required to provide the systems including developer/admin/training time?


      b) Do we allow them to cherry-pick our resources - ie use jenkins
without requiring them to use git.devuan.org (because gdo currently
provides permissions to authorise actions on jenkins)?


      c) Will their use of our CI system constrain our ability to further
develop/enhance/augment our CI system?


      d) How do we arbitrate potentially scarce resources (ie buildhosts)
when there is competition for those resources (think when urgent
security updates need to be built and another project has queued up a
massive number of jobs?  (_Currently we don't but jenkins does have the
capability, to set constraints on a per user/group basis for number of
running builds etc but some time would be required to consider and set
this up)?


   2) How to make triggering builds in the CI system easier then it is
     now?


3) How to provide finer grained (ie per suite) build permissions?

   4) Is there a real security vulnerability with gitlab that makes it a
     now unwise to continue to use as the federated authentication
     provider for our git and CI, and Devuan as a whole system?


**With respect to the scorsh proposal:

I'll agree that scorsh as designed provides a solution to some of
these stated problems, but I believe it does so at the cost of
transparancy, and adds significant complexity and ignores the bigger
picture beyond just building packages

**My concerns about scorsh based on it's DPI/RFC:**

- Scorsh has it's own user database that is not representative of the
existing user database in gitlab. This is problematic as users will
need to be administered in 2 places.
** A possible solution is that scorsh provides an OAuth integrated
website to allow users to manage their own PGP/GPG keys. **

   - Scorsh adds a separate permissions system for authorisation - one
which is entirely disconnected and doesn't respect any of the existing
gitlab federated permissions.  This means we will have two separate sets
of permissions to authorise:
   a) who can upload to git.d.o on a project and branch level
   b) who can build the package of a project for a suite
   _ To me there is no reason to differentiate who can commit to
     suites/jessie and who can build suites/jessie.  If we don't trust
     the committers commits to be built they shouldn't be directly
    committed to that branch._


   ** A solution to this will be to make scorsh use gitlabs permissions
     (available via the api) to ensure anybody that can push to a branch
    in gitlab also can trigger the build of that package.  This obviates
    implementing the user self management of their own keys as suggested
    above. **


   - The Scorsh design requires a refactored version of releasebot that:
   i) bypasses releasebots usual permissions model - because scorsh
     implements it's own
   ii) potentially requires different templates for other distributions
     and thus requires adding code to select those different templates.
      __+ this probably means a fork of releasebot is required, resulting
    in both duplication of function and risk that templates diverge.
    Thus a job add or modification in scorsh results in a different
    jenkins job config to that which is provided by gitlab triggered
    action.__


**Thoughts on Refactoring Releasebot to solve these problems:

   Adding additional build permissions level "Developers" to allow
   building suites *-proposed* and experimental:
   _ this is low hanging fruit, requires a simple permissions test
     function and another if statement.  I can provide this by the 
weekend


   Adding support for other distributions:
     Assumptions:
      - distributions use gitlab for both permissions and projects code
        to build
      - distributions manage their own administrators for adding jenkins
        jobs
      - distributions use their own gitlab group
      - distributions provide their own package repo amprolla setup etc
      - we provide a separate releasebot tailored to their configuration
        requirements.


      Required work:
         a patch to prepend the distro nickname to the handle
           - this is easy, and I can deliver this sometime over the
            weekend.


         a patch to the templates or template logic
           to define the mirrors to use instead of devuans
           - this might also require a refactor of the
             debian-jenkins-glue-buildenv package to ensure env-var
            mirrors are respected.
           - mirror definitions could be hard coded in the template as
             environment variables - making the tempates distro specific.


**Push triggered builds:

     We can use a webhook and a socket listener to trigger builds.
     _Evilham has already begun work on implementing this.


     Aims:
     - uses existing releasebot - means all permissions are implemented
      as
       defined in gitlab.
     - simple filter using gitlab group to determine whether to trigger
       a build
     * 2 possible options for triggering releasebot:
       a) execute it directly.
       _
          pro - immediately starts build
          con - webhook daemon runs where releasebot is located
              - needs patching releasebot so it:
              - copes with not having an associated issue to start with
              - supports project and user arguments.


       b) create an issue in the project and let releasebot start the
         build as it does now.
          _ pro - all the current notifications are sent as now.
                - doesn't need to be run on the same server as releasebot
                - good project records of who and when project builds
                 where executed.
          _ con - up to 5 minute delay for the build to start.


       I'd consider option (b) the quickest and most viable approach with
      (a) a longer term plan and it's something Evilham can work on
       independently.


   Actions since last meeting:
     - continued working on test suite for devuan-releasebot and pushed
       to git
     - shared lots of build infra knowledge and "bigger picture" ideas
      with Evilham


   Coming week:
     - really busy with work (client Django project with deadlines
      looming)
     - will provide patches to releasebot for Developer to be able to
       build *-proposed* & experimental suites.'
     - will provide patches to releasebot to add distro/group prefix
       to jenkins job name


## dimitsos
   - I know that this might seem like a comic relief right now, and it's
     really a long shot, but imagine Devuan running on that machine:
     https://raptorcs.com/content/TL2WK2/intro.html


## fsmithred
- Made a live iso. ascii, openrc, eudev, openbox amd64.

http://distro.ibiblio.org/refracta/files/experimental/ascii_oblx_eudv_oprc-20170813_2222.iso

## golinux
   - http://devuan.evilham.com/ci.png - this graphic needs to be on the
    website.  It used to be on the index page -
    http://web.archive.org/web/20150720070928/https://devuan.org -
    but got lost along the way.  Was promised to be reinstated but that
    never happened (or at least I haven't found it).
   - Website needs updating.  Commits are already in days/weeks ago.
   - More updates pending but why bother if they just sit in limbo
   - Posted to the forum http://defert.com/vincent/devuan-pour-tous/
    another install guide in French.


## KatolaZ
    Sorry, will not be there, due to another commitment.


    - finished the setup of pkgmaster.devuan.org -- we can start to test
     the mirror functionalities as soon as we have the signing key
    - Still waiting for the signing key on amprolla-new.