Repository integrity (Re: OpenBMC v1.0.5 released.)

Patrick Williams patrick at stwcx.xyz
Tue Aug 30 02:33:12 AEST 2016 

On Mon, Aug 29, 2016 at 03:17:35PM +0930, Joel Stanley wrote:
> Hey Patrick,
> 
> On Wed, Aug 24, 2016 at 6:33 AM, Patrick Williams <patrick at stwcx.xyz> wrote:
> > Due to a major regression, I re-tagged v1.0.5 with the kernel updates
> > removed.  The change log is therefore just:
> 
> I don't think we should ever overwrite a tag that has hit the public
> repository. There's no harm in doing a quick second tag.

I've heard enough complaining that I won't do it again.  I didn't think
there was honestly any harm it in considering the intended users and the
time-frame of which it was up (around 12 hrs).

> This is particularity important in the context of Brad's account
> becoming compromised recently.

All of my tags are signed with my PGP key and I use 2-factor
authentication on Github.  I sign nearly every email from this address
with that same PGP key for further verification.  I don't think we have
any way to get much more secure without creating the tags on a
network-less machine.

> Can tags be pushed to Gerrit and reviewed through it's interface?

Tags are pushed through Gerrit.  They cannot be 'reviewed' because there
isn't any content to review.  Or at least, Gerrit does not have that as
a concept now.

I'm not sure what you would review anyhow?  A signed tag effectively has:
   1. A message.
   2. A referenced commit number.
   3. A signature.

The only thing really to review here would be if you didn't agree with
my choice in commit number.  The message is as simple as "OpenBMC
vx.y.z".  The signatures can also be verified on Github itself since I
have added my public key there.

> Would Github's protected branches feature have stopped you from being
> able to make this change?
> 
>  https://help.github.com/articles/about-protected-branches/

Since I am an admin for 'openbmc', the short answer is no.  After I
force pushed the tag to Gerrit, Github actually wasn't allowing the
replication, so I had to manually do things over on the Github side to
get the two in sync.

Like I said, I won't do it again.

-- 
Patrick Williams
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20160829/3931d71a/attachment.sig>

More information about the openbmc mailing list