Re: Switching the tracker to git
On Mon, Sep 15, 2014 at 1:48 PM, Florian Weimer wrote: > The tracker currently uses Subverion's mixed-revision working copies. > It only updates the data automatically not the code. This could be > preserved by splitting code and data at conversion time. This split > alone might be worth the conversion. Let's make sure to call the new repository something better, like security-tracker, since there has been confusion often enough with secure-testing, since so much more than that is supported. Best wishes, Mike -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/CANTw=mo9nseqsw_zexde9ce8d8gazvve1quptfby+xzv_8x...@mail.gmail.com
Re: Switching the tracker to git
Hi, On Mon, Sep 15, 2014 at 07:15:18AM +0200, Salvatore Bonaccorso wrote: > When converting the svn repository to git also a author name list > needs to be created just before making the move[1]. I was involved in > such a project for the Debian Perl Group svn to git conversion moving > ~2000 packages in one svn repo to git. It is simpler here! :). Just > after the security team meeting I did an unofficial PoC for this, so > can confirm this works. We had a little amount of disussion about > this, but this unforunately part of it happend on the team alias > email, so was not public. I never went further ahead. > > [1] http://git-scm.com/book/en/Git-and-Other-Systems-Migrating-to-Git > > http://anonscm.debian.org/cgit/collab-maint/secure-testing.git/.git/ > is a start, but the repository needs to be properly converted by > generating an svn author list. Based on a modified version of the scripts we used for the pkg-perl case I have generated the attached AUTHORS.txt.xz list. I will commit the two scripts needed when happy so they can be used for this step when we will be at that stage. For -guest accounts it tries to detect the email to use from https://alioth.debian.org/users/$author. Regards, Salvatore AUTHORS.txt.xz Description: Binary data
Re: Switching the tracker to git
> My guess is that the only reason that subversion is still used is > inertia and that people would be happier with git. However, I'm curious > to know if anyone thinks otherwise? For releasing security advisories, we need the centralized repository to gurantuee uniqness of DSA numbers. I'm also worried that people will make more local commits without pushing immediately, duplicating work. But perhaps these concerns are unfounded. The tracker currently uses Subverion's mixed-revision working copies. It only updates the data automatically not the code. This could be preserved by splitting code and data at conversion time. This split alone might be worth the conversion. -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/87a960rd0f@mid.deneb.enyo.de
Re: Switching the tracker to git
Hi, On Montag, 15. September 2014, Thijs Kinkhorst wrote: > > What would be the actual benefits of moving to Git and I'm not talking git log, git show, git stash and git branch and cherry-pick...!! Working with a decentralized and fast(!) version control system locally is so much more fun + effective, the difference is hard to imagine if you haven't experienced it yourself. > Some points of attention: I've updated org/TODO now with the points raised by Salvatore and Thijs. Just one thing made me suspicious: > - Two main non-human use of svn are the joeyh commit script and the > tracker itself. the "two main"?? Are there others? Currently this part of TODO reads: Security Tracker svn to git conversion - TBD: add here the todo items to be considered for the move * joeyh's commit script needs to be adopted to git * When fixing the joeyh one, I think it makes sense to move it to a role account on alioth (as previously discussed), rather than this personal account, at the same time. * the tracker itself needs to be adopted * There's also a very useful pre-commit hook that checks syntax of commits to data/*. This is something that also would need a place somewhere. * the sectracker user is subscribed to the commits mailinglists, and the commit messages trigger updates of the tracker. * http://security-team.debian.org is updated from svn, needs to be switched, should be simple * debsecan? cheers, Holger signature.asc Description: This is a digitally signed message part.
Re: Switching the tracker to git
Hi I forgot about two more points: One is the sectracker user is subscribed to the commits mailinglists, and the commit messages trigger updates of the tracker. The other thing, the svn checkout is also used for http://security-team.debian.org, but this should be a simple case. I will add all items to be considered - and which comes to my mind - for a svn to git migration into org/TODO Please add there further todos! Hope that helps anybody who wants to volunteer for that. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140915110031.ga32...@lorien.valinor.li
Re: Switching the tracker to git
On Mon, September 15, 2014 07:33, Henri Salo wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On Sun, Sep 14, 2014 at 07:06:46PM -0400, micah wrote: >> My guess is that the only reason that subversion is still used is >> inertia and that people would be happier with git. However, I'm curious >> to know if anyone thinks otherwise? > > In my experience Git also takes more time per commit if we are talking > about making branches and/or pull requests. I think this will be the cases we're not going to use (much). > What would be the actual benefits of moving to Git and I'm not talking > about some minor speed improvements. Please > also note that there are hooks in SVN currently and I'm not sure if those > can be migrated to Git. Speed improvements, further standardisation within Debian on git so less tools for new people to learn, ability to work offline (limited use with the daily flow, but may be useful for some cases) are some good reasons. I believe at the very least git will not make the situation worse for current routine use. > I'm more than happy to discuss this case in detail and even help to > implement it if/when team starts to move that direction. Michael's statement is spot on: there's no objection to such migration but as svn didn't pose huge problems yet it hasn't been a priority. I would say that if someone wants to do the work, just do it (as long as you keep everyone informed of course). Some points of attention: - Two main non-human use of svn are the joeyh commit script and the tracker itself. - When fixing the joeyh one, I think it makes sense to move it to a role account on alioth (as previously discussed), rather than this personal account, at the same time. - There's also a very useful pre-commit hook that checks syntax of commits to data/*. This is something that also would need a place somewhere. Cheers, Thijs -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/9d2213b15251d7f4a20801a7c5d3aae7.squir...@aphrodite.kinkhorst.nl
Re: Switching the tracker to git
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sun, Sep 14, 2014 at 07:06:46PM -0400, micah wrote: > My guess is that the only reason that subversion is still used is > inertia and that people would be happier with git. However, I'm curious > to know if anyone thinks otherwise? In my experience Git also takes more time per commit if we are talking about making branches and/or pull requests. What would be the actual benefits of moving to Git and I'm not talking about some minor speed improvements. Please also note that there are hooks in SVN currently and I'm not sure if those can be migrated to Git. I'm more than happy to discuss this case in detail and even help to implement it if/when team starts to move that direction. - --- Henri Salo -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlQWehsACgkQXf6hBi6kbk85kACgpTjcLWEXY8EHeqPvuCQbhs25 KX8AoKZWcUybX/NOYRTavwp3tyR4TTX6 =rNOU -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140915053315.ga19...@kludge.henri.nerv.fi
Re: Switching the tracker to git
Hi Micah, On Sun, Sep 14, 2014 at 07:06:46PM -0400, micah wrote: > > Hello, > > As it stands now, the security tracker is using subversion. > > Here are the facts as far as I can tell: > > . people doing work on the tracker are using svn to commit > . h01ger is doing a regular git-svn import of the tracker repository > . there is a regular cron job run by joeyh that does the automatic updates: > joeyh r28744 data/CVE/list * automatic update > . the web interface probably has some automated process to pull the > latest updates over svn > > My guess is that the only reason that subversion is still used is > inertia and that people would be happier with git. However, I'm curious > to know if anyone thinks otherwise? > > I don't exactly have the time right now to volunteer for changing > things, but I thought that the first step would be to see what people > thought, and then maybe if it was clear what people's preferences were, > perhaps someone might volunteer! Yep basically it was the following: We discussed this at the security team meeting were agreein on switching to git but it is not moving forward due to lack of time and volunteers. But also it is not only the repository but some components around which need to be considered, as you pointed out above. When converting the svn repository to git also a author name list needs to be created just before making the move[1]. I was involved in such a project for the Debian Perl Group svn to git conversion moving ~2000 packages in one svn repo to git. It is simpler here! :). Just after the security team meeting I did an unofficial PoC for this, so can confirm this works. We had a little amount of disussion about this, but this unforunately part of it happend on the team alias email, so was not public. I never went further ahead. [1] http://git-scm.com/book/en/Git-and-Other-Systems-Migrating-to-Git http://anonscm.debian.org/cgit/collab-maint/secure-testing.git/.git/ is a start, but the repository needs to be properly converted by generating an svn author list. joeyh's cronjob needs to be moved to the role account which we have now already. Raphael Geisert requested it. The setup on soler (the security-tracker.d.o hosting host) will also need adjustment to the conversion before we would go live (cronjobs, checkouts triggered by commit mails, ...). The setup there relies on the svn checkout right now, it is documented in the soler.txt file in the repository. SVN hooks needs to be convered. E.g. the one which does some sanity check as precommit. One other point we wanted to do (see the minutes from the meeting, should be documented there) in one go was to rename the project from secure-testing to something else, since it is long already not about secure-testing. But this probably could be split. I have asked for this alioth admins how easily we could rename an existing project to something else, but have not got a reply on this. Ah yes there is also https://contributors.debian.org/source/Debian%20Security%20Tracker :) It is in my pov good to move to git, There are some aspects which need to be considered before the move, as we absolutely need to have a working security-tracker instance for the security team's work. Work was relatively hard and stalled in some parts when alioth wen down as a example. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140915051518.ga26...@lorien.valinor.li
Re: Switching the tracker to git
On Sun, Sep 14, 2014 at 7:06 PM, micah wrote: > > Hello, > > As it stands now, the security tracker is using subversion. > > Here are the facts as far as I can tell: > > . people doing work on the tracker are using svn to commit > . h01ger is doing a regular git-svn import of the tracker repository > . there is a regular cron job run by joeyh that does the automatic updates: > joeyh r28744 data/CVE/list * automatic update > . the web interface probably has some automated process to pull the > latest updates over svn > > My guess is that the only reason that subversion is still used is > inertia and that people would be happier with git. However, I'm curious > to know if anyone thinks otherwise? There has been discussion of switching to git for a while now. Last security team meeting it was decided to stay with svn since no one volunteered to lead conversion to get. So if someone volunteered for that, it could happen. Best wishes, Mike -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/CANTw=MNWp8WeL8ScC5Ai7r+kn0e_v=tles0yebfexctqnn2...@mail.gmail.com
