[arch-projects] [arch-repo-management] 2022-05-04 meeting notes
Formatted minutes can be viewed here: https://md.archlinux.org/s/rdnf9nzXj Raw Markdown (still hoping for an easy md→text conversion that formats links in a citation style...) # Arch-repo-management 2022-05-04 meeting Date: 2022-05-04T17:00:00Z Location: Jitsi Scribe: Brett (ainola) ## Attendees * Brett (ainola) * dvzrv * Torxed * wCPO ## Agenda ### Documentation * dvzrv has [created extensive sphinx documentation about the project](https://gitlab.archlinux.org/archlinux/arch-repo-management/-/merge_requests/31)! Hosting It would be nice to set up e.g. docs.archlinux.org as a central documentation platform related to Arch-related tooling/projects with each project having its own subdomain. For instance, repod.docs.archlinux.org. * The wiki is more about configuration/situational help whereas the docs site would be more extensive documentation about the project itself: Much of the specifics don't belong on the wiki. GitLab pages used for WKD docs, let's use pages for all of this documentation * docs.archlinux.org would be a landing page * CI/CD into a repository's GitLab pages * foo.docs.archlinux.org would point to that repo's gitlab page. Security concerns The Gitlab page could potentially maliciously set cookies for archlinux.org. Since documentation changes can be deployed without DevOps, the accepted stewards of infrastructure, it means that non-DevOps members could theoretically maliciously attack the main site. Refer: https://github.com/w3c/webappsec/issues/432 Suggestions for resolution: 1. Change https://archlinux.org to https://www.archlinux.org so that the main page is on a separate subdomain * This would likely cause our search rankings to reset. Cookies would have to be reworked to use the new domain 3. Disable JavaScript via CSP * This would break search functionality for the Sphinx theme 4. Use `` [hash argument](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src) to restrict the JavaScript allowed to run (to be managed by DevOps) 5. Widen the range of trust to include more than DevOps members * This is the path of least resistance 6. Enhance archlinux.org security to require more than cookies to authenticate * Not trivial, unlikely to happen No resolution made, we will revisit in a few weeks' time after the PR has been merged. ### Next Steps * next up: [rename the project to repod](https://gitlab.archlinux.org/archlinux/arch-repo-management/-/issues/45) * start implementing the consumption of package metadata (e.g. [.MTREE](https://gitlab.archlinux.org/archlinux/arch-repo-management/-/issues/51), [.BUILDINFO](https://gitlab.archlinux.org/archlinux/arch-repo-management/-/issues/52) (also selection of [.BUILDINFO fields](https://gitlab.archlinux.org/archlinux/arch-repo-management/-/issues/20)) and [.PKGINFO](https://gitlab.archlinux.org/archlinux/arch-repo-management/-/issues/53)) signature.asc Description: PGP signature
[arch-projects] [arch-repo-management] 2022-04-20 meeting minutes
I apologize for the horrendous delay; I had forgotten about addressing my rejected mail to this list! Formatted meeting minutes can be viewed at: https://md.archlinux.org/s/BUpRiww_r A copy of the raw markdown (pandoc does a poor job converting to plain text, suggestions for other tools welcome): Date: 2022-04-20T17:00:00Z - 2022-04-20T18:13:00Z Location: Jitsi Scribe: ainola ## Attendees * ainola * artafinde * dvzrv * heftig * luna * Torxed * wCPO ## Agenda ### CI [renovate-bot](https://gitlab.archlinux.org/archlinux/renovate) was implemented for automating version bumps * Thanks to wCPO for setting that up * [Has a pipeline run on a schedule](https://gitlab.archlinux.org/archlinux/renovate/renovate/-/pipeline_schedules) to e.g. update lock files and scan through the poetry TOML files. It will create a Merge Request with that gruntwork already done for us for review. ([example MR](https://gitlab.archlinux.org/archlinux/arch-repo-management/-/merge_requests/28/diffs)) * Needs a user to run - we have created a "[renovate](https://gitlab.archlinux.org/renovate)" user to run. ### Versioning (c.f. [previous discussion on the same topic](https://md.archlinux.org/_jsxpX_ySrGwu9u0EmSXtg#versions)) Changes are infrequent but they do happen; we need a way to upgrade the database in a sane way. * dvzrv has been working on [#42 (Implement JSON schema for package and database representation)](https://gitlab.archlinux.org/archlinux/arch-repo-management/-/issues/42) and [#29 (Make pgpsig an optional field)](https://gitlab.archlinux.org/archlinux/arch-repo-management/-/issues/29) * Torxed is interested in this work due to similar issues in archinstall ### File management Torxed has been working on package file management via the CLI interface. Two stages right now (for testing): * Take a package and move it to a pool (via symlinks or hardlinks so that downloads don't need to happen when moving between repos) * Tag the package for a particular repository Transactions are a central design around this, so we can all expect to have e.g. staging environments still. Suggestions for improvement * prevent package removal from the pool if it's active * noop on adding identical packages * Fail if a newer version of the package already exists (Otherwise it's assumed to be a version bump and will be accepted) * Missing debug repositories, needs to be implemented Brainstorming * Do we want flexibility to have Subrepositories/ephemeral repositories for testing groups of packages (see [#47](https://gitlab.archlinux.org/archlinux/arch-repo-management/-/issues/47))? signature.asc Description: PGP signature
Re: [arch-projects] [arch-repo-management] Regular meetings in March
On 2022-04-06 21:33, Luna Jernberg wrote: Hey Read the notes now, looks good :) other then the date should be 2022-04-06 at the top Aha, thanks for the eagle eyes. Fixed. signature.asc Description: PGP signature