Re: [Tails-dev] Please review'n'merge feature/Sign_jenkins_builds_artifacts
berta...@ptitcanardnoir.org wrote (28 Sep 2013 09:22:16 GMT) : Please merge this branch in experimental, devel, stable, testing and feature/wheezy if happy with it. I'd be happy too, but the branch is based on devel, so I can't merge it into stable. Please rebase on stable, and reassign the ticket to me. Cheers, -- intrigeri | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc ___ tails-dev mailing list tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev
Re: [Tails-dev] Please review'n'merge feature/Sign_jenkins_builds_artifacts
berta...@ptitcanardnoir.org wrote (28 Sep 2013 09:22:16 GMT) : This change goes together with two changes in our puppet modules: A new one has been created to deploy the gnupg keyring in our autobuilder VM on lizard, and has been reviewed already by intrigeri. I've had a look to the newest changes that I hadn't reviewed yet. I think commit 433fa5cf (Move the /mnt/crypt mount operation in a more appropriate place) in lizard's Puppet manifests, and the corresponding commit 2b71c6c6 in tails_secrets_jenkins, are a mistake, and can be dangerous in the future. Let me explain why. This dummy mount really belongs to an individual node's manifest. This declaration is the only way a sysadmin deploying the tails_secrets_jenkins module can state that they have taken care of the storage security pre-requisites of that module. This statement unblocks the deployment of the module. Moving this dummy mount into tails_secrets_jenkins really means pretend my storage security pre-requisites are satisfied, regardless of where and how I'm deployed, which kinda defeats the purpose of having any such safe-guard in place. Please revert both commits. A nicer solution has to be found. I'm happy to help a bit, but for this I need more information than If not it seems to raise a chicken and egg problem :) I'm thus re-opening #6266. Ticket : #6268 - Adapt the Jenkins artifacts rotation script ACK, marking as resolved! Cheers, -- intrigeri | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc ___ tails-dev mailing list tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev
Re: [Tails-dev] Please review'n'merge feature/Sign_jenkins_builds_artifacts
On Sun, Sep 29, 2013 at 01:36:28PM +0200, intrigeri wrote: berta...@ptitcanardnoir.org wrote (28 Sep 2013 09:22:16 GMT) : Please merge this branch in experimental, devel, stable, testing and feature/wheezy if happy with it. I'd be happy too, but the branch is based on devel, so I can't merge it into stable. Please rebase on stable, and reassign the ticket to me. Oooch, you're right. I've just force updated the branch for it to be based on the stable one. Thanks for the reminder. bert. ___ tails-dev mailing list tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev
Re: [Tails-dev] Please review'n'merge feature/Sign_jenkins_builds_artifacts
berta...@ptitcanardnoir.org wrote (29 Sep 2013 12:13:24 GMT) : Oooch, you're right. I've just force updated the branch for it to be based on the stable one. Thanks for the reminder. merged, pushed to origin + lizard, thanks. ___ tails-dev mailing list tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev
[Tails-dev] Please review'n'merge feature/Sign_jenkins_builds_artifacts
Hi, The feature/Sign_jenkins_builds_artifacts branch add the ability to our build-tails script to automatically sign the build result when run in a jenkins environment. It has been merged into the experimental branch of lizard's Tails repo, and tested on jenkins.tails.boum.org. The result can be checked on nightly.tails.boum.org. Ticket : #6267 - Add checksum signing ability to the Tails build script Commit : 31be69f Please merge this branch in experimental, devel, stable, testing and feature/wheezy if happy with it. This change goes together with two changes in our puppet modules: A new one has been created to deploy the gnupg keyring in our autobuilder VM on lizard, and has been reviewed already by intrigeri. Another change in our puppet setup is related to our rotation script, which needed to be aware that it needs to take care of two new files (*.iso.shasum and *.iso.shasum.asc). This last change can be checked in our main puppet git repo for lizard Ticket : #6268 - Adapt the Jenkins artifacts rotation script Commit : fdecb95 and 6eef9d6 If happy with them, the reviewer can also push the new signing key on the keyserver. It has already been signed by our main signing key. If not, I can take care of that. Thanks bert. ___ tails-dev mailing list tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev