-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Thu, Mar 23, 2017 at 11:07:12AM +0100, Wojtek Porczyk wrote: > On Thu, Mar 23, 2017 at 02:01:34AM -0400, Jean-Philippe Ouellet wrote: > > Hello, > > Hello, Jean-Philippe, > > > QubesOS/*/core3-devel branches sometimes have unsigned commits (from > > woju) at HEAD. [1] These also get merged into marmarek's remotes [2], > > still without signature. > > > > I assume this is because there are other remotes / branches actually > > being used instead and tags are not propagating. Or does the automated > > signature verification workflow somehow break down in practice? Woju? > > Marmarek? > > This is because I actually don't have my signing key in the same VM as the > development. Instead I use this [1] to sign my tags. I didn't write an > equivalent for making signed commits. Marek keeps his signing keys in the same > VM as IDE, so he signs his commits using the usual git tools.
Actually, this is not true. I use standard split-gpg and have gpg.program = qubes-gpg-client in .gitconfig. This combination didn't work before because of some deadlock, but it was fixed about 2 years ago :P > Also, marmarek has somehow elaborate script which generally pushes only his > own tags to his repo. This stems from the times when we also had private git, > to which we pushed proprietary code (now we don't have one for common > components). Because he is the only one to push to QubesOS/* repos, those also > receive only marmarek's tags. This script pushes tag describing current branch, but I don't use it for some temporary branches (mostly pushed as a backup if my machine fails, not intended to be used otherwise), which I push without any tags, assuming that my (signed) commit is at the top. So there may be some branches *on my github account* without signed tags. > There is one exception: core-admin/core3-devel, > which receives my tags using automated script. And this is the branch that should be used. > My tags are to be found in woju/* repos. Those usually work, until one of us > rebases or cherry-picks something, which happens from time to time. > > > Anyway... my real question is what remotes & branches one should track > > now if one wishes to follow work on R4.0? (Ideally in a state which > > one can build a "working" system from for testing.) Marmarek posted a > > builder.conf some months ago [3], but I doubt it is being used to > > actually build anything since qubes-builder signature verification > > would fail. > > There are five components which have active core3-devel branches: > BRANCH_core_admin = core3-devel > BRANCH_core_admin_linux = core3-devel > BRANCH_core_libvirt = core3-devel > BRANCH_installer_qubes_os = core3-devel > BRANCH_linux_utils = core3-devel > > There are some other components which have had core3-devel branches which were > then merged to master branches. > > As to which repos: Probably QubesOS, but if there is no core3-devel branch, > marmarek's. I only push if I have something new, so most of my repos > are outdated. I write mostly core-admin/core3-devel, so this is the most > current (and most volatile) branch of this component, but there is also a bot > which pushes the commits to QubesOS, and the pull requests happen there, so > you may skip my repos entirely, or only fetch tags from them. > > > [1] https://ftp.qubes-os.org/~woju/pub/qubes-rpc/git-stag > https://ftp.qubes-os.org/~woju/pub/qubes-rpc/woju.GitSignTag > https://ftp.qubes-os.org/~woju/pub/qubes-rpc/stag.png > - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJY06QOAAoJENuP0xzK19csmKEIAIUPKDY48ON2GXh1L0LBoIGI NsMRrnMDgWHfNb1aVWqeDDfD9jFG226TLshFTiuHk+/WsuI2kYln39KYsMDDl/AE dxRIcMO/WsaTXSiPsLoynEMEjk6xTY10C78iuksCmvze5gTgsXBfZJXDhIW+Gd/h Eb3poCj5j3o5qz31kquep/mGWsecNMiZnjsjBfLzrrsqlBbVRuadRce15mb/P/Tt Y8+/c8vvv3M4aBe3tdpvyhx+K37up/NqvaLap4VK43yMU67EeK3384L1T5pfhvHN nNfekFGEdIannGo3NDynsKAbsU9MkRwPIIu9dkVISHCf12qTMZfmtnJY5l4EKqE= =7OlK -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel+unsubscr...@googlegroups.com. To post to this group, send email to qubes-devel@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/20170323103142.GN1208%40mail-itl. For more options, visit https://groups.google.com/d/optout.