| <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> |
| <html> |
| <head> |
| <meta http-equiv="Content-type" content="text/html;charset=UTF-8"> |
| <title>#centos-devel log</title> |
| <style type="text/css"> |
| |
| pre { |
| white-space: pre-wrap; } |
| body { background: #f0f0f0; } |
| |
| body .tm { color: #007020 } |
| body .nk { color: #062873; font-weight: bold } |
| body .nka { color: #007020; font-weight: bold } |
| body .ac { color: #00A000 } |
| body .hi { color: #4070a0 } |
| |
| body .topic { color: #007020; font-weight: bold } |
| body .topicline { color: #000080; font-weight: bold } |
| body .cmd { color: #007020; font-weight: bold } |
| body .cmdline { font-weight: bold } |
| |
| </style> |
| </head> |
| |
| <body> |
| <pre><a name="l-1"></a><span class="tm">13:01:06</span><span class="nk"> <bstinson></span> <span class="cmd">#startmeeting</span><span class="cmdline"></span> |
| <a name="l-2"></a><span class="tm">13:01:06</span><span class="nk"> <centbot></span> Meeting started Mon Sep 15 13:01:06 2014 UTC. The chair is bstinson. Information about MeetBot at http://wiki.debian.org/MeetBot. |
| <a name="l-3"></a><span class="tm">13:01:06</span><span class="nk"> <centbot></span> Useful Commands: #action #agreed #help #info #idea #link #topic. |
| <a name="l-4"></a><span class="tm">13:01:27</span><span class="nk"> <bstinson></span> <span class="cmd">#meetingname </span><span class="cmdline">CBS-Infra-2014-09-15</span> |
| <a name="l-5"></a><span class="tm">13:01:27</span><span class="nk"> <centbot></span> The meeting name has been set to 'cbs-infra-2014-09-15' |
| <a name="l-6"></a><span class="tm">13:01:52</span><span class="nk"> <bstinson></span> <span class="cmd">#chair </span><span class="cmdline">alphacc Arrfab kbsingh bstinson MerlinTHP_</span> |
| <a name="l-7"></a><span class="tm">13:01:52</span><span class="nk"> <centbot></span> Current chairs: Arrfab MerlinTHP_ alphacc bstinson kbsingh |
| <a name="l-8"></a><span class="tm">13:02:45</span><span class="nk"> <bstinson></span> <span class="topic">#topic </span><span class="topicline">Is this a good time to meet?</span> |
| <a name="l-9"></a><span class="tm">13:02:54</span><span class="nk"> <MerlinTHP_></span> Well, it works for me :) |
| <a name="l-10"></a><span class="tm">13:03:51</span><span class="nk"> <alphacc></span> Me too if we keep it under 30 min |
| <a name="l-11"></a><span class="tm">13:04:01</span><span class="nk"> <bstinson></span> Good, I think we should make this a regular thing (weekly, or every-other-week) for a while until we run out of things to talk about |
| <a name="l-12"></a><span class="tm">13:04:09 </span><span class="nka">* MerlinTHP_</span> <span class="ac">nods.</span> |
| <a name="l-13"></a><span class="tm">13:04:11</span><span class="nk"> <bstinson></span> short meetings are good |
| <a name="l-14"></a><span class="tm">13:04:17</span><span class="nk"> <alphacc></span> I think weekly is good for now. |
| <a name="l-15"></a><span class="tm">13:04:39</span><span class="nk"> <MerlinTHP_></span> Agreed, i imagine we can find things to talk about |
| <a name="l-16"></a><span class="tm">13:04:57</span><span class="nk"> <wolfy></span> works for me too. although I am just a lurker |
| <a name="l-17"></a><span class="tm">13:05:18</span><span class="nk"> <bstinson></span> <span class="cmd">#agreed </span><span class="cmdline">Weekly meetings on Monday at 13:00 UTC</span> |
| <a name="l-18"></a><span class="tm">13:06:36 </span><span class="nka">* lalatenduM</span> <span class="ac">is here too</span> |
| <a name="l-19"></a><span class="tm">13:06:54</span><span class="nk"> <bstinson></span> <span class="topic">#topic </span><span class="topicline">SIG/Developer authentication</span> |
| <a name="l-20"></a><span class="tm">13:07:39</span><span class="nk"> <alphacc></span> so far cbs has his own CA, I don't know the status of git.c.o auth |
| <a name="l-21"></a><span class="tm">13:07:53 </span><span class="nka">* MerlinTHP_</span> <span class="ac">assumes it's ssh key auth</span> |
| <a name="l-22"></a><span class="tm">13:07:59</span><span class="nk"> <MerlinTHP_></span> Can anyone confirm? |
| <a name="l-23"></a><span class="tm">13:08:08 </span><span class="nka">* kbsingh</span> <span class="ac">is here</span> |
| <a name="l-24"></a><span class="tm">13:08:14 </span><span class="nka">* gwd</span> <span class="ac">is here</span> |
| <a name="l-25"></a><span class="tm">13:08:17</span><span class="nk"> <bstinson></span> we also need to worry about the lookaside cache |
| <a name="l-26"></a><span class="tm">13:08:42</span><span class="nk"> <MerlinTHP_></span> I'd be tempted to start from a default position of "what does fedora infra do?" |
| <a name="l-27"></a><span class="tm">13:09:01</span><span class="nk"> <MerlinTHP_></span> If only that they've solved a lot of this stuff, and have existing tooling |
| <a name="l-28"></a><span class="tm">13:09:10</span><span class="nk"> <bstinson></span> I think FAS is on the radar |
| <a name="l-29"></a><span class="tm">13:09:24</span><span class="nk"> <kbsingh></span> i am not sure if FAS is indeed on the store for CentOS though - is it ? |
| <a name="l-30"></a><span class="tm">13:09:38</span><span class="nk"> <MerlinTHP_></span> I've heard it mentioned, but nothing conclusive. |
| <a name="l-31"></a><span class="tm">13:09:49</span><span class="nk"> <kbsingh></span> there certainly hasent been any movement on that front - FAS was brought up a few times, but only in line with other potential solutions as well |
| <a name="l-32"></a><span class="tm">13:09:49</span><span class="nk"> <gwd></span> What's FAS? |
| <a name="l-33"></a><span class="tm">13:09:57</span><span class="nk"> <Arrfab></span> <span class="hi">alphacc:</span> atm git.c.o uses his internal auth DB |
| <a name="l-34"></a><span class="tm">13:09:58</span><span class="nk"> <kbsingh></span> <span class="hi">gwd:</span> the Fedora Accounting System |
| <a name="l-35"></a><span class="tm">13:09:59</span><span class="nk"> <MerlinTHP_></span> Fedora Account System |
| <a name="l-36"></a><span class="tm">13:10:24</span><span class="nk"> <MerlinTHP_></span> I'm not sure we really want to build something from scratch. |
| <a name="l-37"></a><span class="tm">13:10:33</span><span class="nk"> <alphacc></span> <span class="hi">Arrfab:</span> but gitblit does support ssl cert ? |
| <a name="l-38"></a><span class="tm">13:10:45</span><span class="nk"> <kbsingh></span> git.centos.org can more or less do anything, includiung ldap, krb, shared certs, shared ca, pub certs, internal pipe backend for auth or even static files |
| <a name="l-39"></a><span class="tm">13:10:51</span><span class="nk"> <kbsingh></span> <span class="hi">alphacc:</span> yes |
| <a name="l-40"></a><span class="tm">13:10:57</span><span class="nk"> <MerlinTHP_></span> What does g.c.o do now? |
| <a name="l-41"></a><span class="tm">13:11:13</span><span class="nk"> <kbsingh></span> <span class="hi">MerlinTHP_:</span> flat file, internal auth |
| <a name="l-42"></a><span class="tm">13:11:24</span><span class="nk"> <MerlinTHP_></span> I suppose we're at the point of not having a huge userbase to reeducate |
| <a name="l-43"></a><span class="tm">13:12:24</span><span class="nk"> <kbsingh></span> are we talking purely in the context of git.centos.org + cbs.centos.org ? I guess having FAS like system would help if were to come up system wide for all of .centos.org - and we can move wiki + bugs + forums + other things to it as well |
| <a name="l-44"></a><span class="tm">13:12:41</span><span class="nk"> <MerlinTHP_></span> I'd suggest that ideally the latter |
| <a name="l-45"></a><span class="tm">13:13:15</span><span class="nk"> <MerlinTHP_></span> In addition to FAS, I'd be tempted to throw IPA into the ring as an option too. |
| <a name="l-46"></a><span class="tm">13:13:48</span><span class="nk"> <MerlinTHP_></span> I spend a fair amount of time in $dayjob getting stuff to auth against our IPA instace. |
| <a name="l-47"></a><span class="tm">13:14:04</span><span class="nk"> <Arrfab></span> <span class="hi">MerlinTHP_:</span> such discussion started too, but the scope is wider than just cbs+git which is supposed to be the "to be discussed points" today |
| <a name="l-48"></a><span class="tm">13:14:06</span><span class="nk"> <alphacc></span> <span class="hi">kbsingh:</span> yes. In term of interaction between cbs/git we just need people to be able to create branches at the git level |
| <a name="l-49"></a><span class="tm">13:14:26</span><span class="nk"> <MerlinTHP_></span> <span class="hi">Arrfab:</span> agreed. |
| <a name="l-50"></a><span class="tm">13:14:38</span><span class="nk"> <MerlinTHP_></span> Seems silly to build something just for cbs & git, though |
| <a name="l-51"></a><span class="tm">13:15:34</span><span class="nk"> <kbsingh></span> how would branches in git.c.o work - at the moment, the distro brach is locked - noone can commit to those. and I've been working to have branch name be the sig name for someone |
| <a name="l-52"></a><span class="tm">13:15:37</span><span class="nk"> <alphacc></span> <span class="hi">MerlinTHP_:</span> I think it's better to test the workflow for building and defer auth for later. |
| <a name="l-53"></a><span class="tm">13:15:54</span><span class="nk"> <kbsingh></span> eg. VirtSig people will need to work with their own branch - but wont be able to create and push to other ones, unless they had acl's for other sig's as well |
| <a name="l-54"></a><span class="tm">13:16:21</span><span class="nk"> <MerlinTHP_></span> <span class="hi">alphacc:</span> I'm just a bit worried about getting people too familiar with something that we might well change later |
| <a name="l-55"></a><span class="tm">13:16:21</span><span class="nk"> <Arrfab></span> <span class="hi">MerlinTHP_:</span> agreed too, but it would be good to know what are the blockers now on the git/cbs status. and if common auth is the real issue, then another meeting around centralized auth can be foreseen :-) |
| <a name="l-56"></a><span class="tm">13:17:19</span><span class="nk"> <alphacc></span> <span class="hi">MerlinTHP_:</span> the koji part won't change, and educate user to access git with pass or ssh key doesn't seems an issue for our audience |
| <a name="l-57"></a><span class="tm">13:17:27</span><span class="nk"> <MerlinTHP_></span> <span class="hi">alphacc:</span> fair enough |
| <a name="l-58"></a><span class="tm">13:17:40</span><span class="nk"> <gwd></span> <span class="hi">kbsingh:</span> So I think we need to be able to have dev branches from which we can issue a pull request. |
| <a name="l-59"></a><span class="tm">13:17:50</span><span class="nk"> <alphacc></span> <span class="hi">MerlinTHP_:</span> I would agree if it was for everybody. |
| <a name="l-60"></a><span class="tm">13:18:29</span><span class="nk"> <MerlinTHP_></span> <span class="hi">alphacc:</span> I'm a bit worried that you don't scale, though ;) |
| <a name="l-61"></a><span class="tm">13:18:37</span><span class="nk"> <MerlinTHP_></span> <span class="hi">alphacc:</span> you're doing all the account creation by hand atm? |
| <a name="l-62"></a><span class="tm">13:19:04</span><span class="nk"> <alphacc></span> <span class="hi">MerlinTHP_:</span> correct. this is part of this week documentation effort. |
| <a name="l-63"></a><span class="tm">13:19:05</span><span class="nk"> <Arrfab></span> <span class="hi">MerlinTHP_:</span> yes, but afaik less than 10 people have access through approved SIGs |
| <a name="l-64"></a><span class="tm">13:19:17</span><span class="nk"> <kbsingh></span> in terms of forward-looking-planning, my estimate on user accounts to end of the year 2014 is 50 |
| <a name="l-65"></a><span class="tm">13:19:27</span><span class="nk"> <MerlinTHP_></span> OK |
| <a name="l-66"></a><span class="tm">13:19:27</span><span class="nk"> <kbsingh></span> and in the next 18 momths, is to grow that to 150 |
| <a name="l-67"></a><span class="tm">13:19:44</span><span class="nk"> <bstinson></span> which is not so bad |
| <a name="l-68"></a><span class="tm">13:20:10</span><span class="nk"> <kbsingh></span> most SIG's are only going to have a few people commiting into git.centos.org right ? I'm counting on the biggest ones having 10 |
| <a name="l-69"></a><span class="tm">13:20:18</span><span class="nk"> <Evolution></span> I still think long-term it should be automated, rather than blocking on a specific person |
| <a name="l-70"></a><span class="tm">13:20:27</span><span class="nk"> <Evolution></span> or group of people. |
| <a name="l-71"></a><span class="tm">13:20:31</span><span class="nk"> <MerlinTHP_></span> Mm |
| <a name="l-72"></a><span class="tm">13:20:48</span><span class="nk"> <MerlinTHP_></span> This is one of those "FAS has already solved this issue" things, tbh |
| <a name="l-73"></a><span class="tm">13:21:04</span><span class="nk"> <kbsingh></span> <span class="hi">gwd:</span> would'nt that be local though ? eg. if come of people want to do local branches ? or are you saying that people will need commit access to git.centos.org where from a 'privileged' account can merge into the production branch and issue a build req ? |
| <a name="l-74"></a><span class="tm">13:21:06</span><span class="nk"> <Evolution></span> yeah. fas or a bit of scripting around ipa. |
| <a name="l-75"></a><span class="tm">13:21:11</span><span class="nk"> <MerlinTHP_></span> <span class="hi">Evolution:</span> exactly |
| <a name="l-76"></a><span class="tm">13:21:27</span><span class="nk"> <alphacc></span> <span class="hi">Evolution:</span> yes agreed |
| <a name="l-77"></a><span class="tm">13:21:36</span><span class="nk"> <MerlinTHP_></span> TBH I personally like IPA a lot, but I'm trying not to be too biased ;) |
| <a name="l-78"></a><span class="tm">13:22:01</span><span class="nk"> <kbsingh></span> <span class="hi">gwd:</span> if we want the push coming to git.centos.org - we might need to workout some sort of a convention for personal branches. |
| <a name="l-79"></a><span class="tm">13:22:18</span><span class="nk"> <kbsingh></span> automate everything |
| <a name="l-80"></a><span class="tm">13:22:49</span><span class="nk"> <gwd></span> <span class="hi">kbsingh:</span> Well it doesn't need to be on git.c.o, if that's what you mean; it could be on gitorious/github/some other public repo. But wherever it is, we want to be able to build from it. At least, I assume the burden of testing to make sure it builds properly should be on the person sending the pull request, not on the person potentially doing the pulling. :-) |
| <a name="l-81"></a><span class="tm">13:23:04</span><span class="nk"> <kbsingh></span> specially, since automation is the only way to really make sure there is a 'user-exiting' cleanup process as well |
| <a name="l-82"></a><span class="tm">13:23:15</span><span class="nk"> <MerlinTHP_></span> Just bear in mind that koji needs config for each git server you want to pull from |
| <a name="l-83"></a><span class="tm">13:23:26</span><span class="nk"> <kbsingh></span> <span class="hi">MerlinTHP_:</span> it will only pull from git.centos.org |
| <a name="l-84"></a><span class="tm">13:23:27</span><span class="nk"> <MerlinTHP_></span> I'd recommend only having koji pull from g.c.o |
| <a name="l-85"></a><span class="tm">13:23:33</span><span class="nk"> <MerlinTHP_></span> Right. |
| <a name="l-86"></a><span class="tm">13:23:39</span><span class="nk"> <alphacc></span> yes |
| <a name="l-87"></a><span class="tm">13:24:02</span><span class="nk"> <MerlinTHP_></span> So anything you want to build has to end up in g.c.o, even if people are pushing to github or whatever |
| <a name="l-88"></a><span class="tm">13:24:34</span><span class="nk"> <Arrfab></span> <span class="hi">MerlinTHP_:</span> yes |
| <a name="l-89"></a><span class="tm">13:24:43</span><span class="nk"> <kbsingh></span> yeah, its a good problem domain to fix, its the classic who CI's and how does the CI queue work |
| <a name="l-90"></a><span class="tm">13:24:46</span><span class="nk"> <alphacc></span> <span class="hi">MerlinTHP_:</span> There is SRPM use case, but I really didn't find any good reason. |
| <a name="l-91"></a><span class="tm">13:24:47</span><span class="nk"> <gwd></span> <span class="hi">MerlinTHP:</span> Then that would imply either 1) sending pull requests from trees that haven't been tested on koji or 2) having development trees on git.c.o so that things could be tested on koji before sending a pull request |
| <a name="l-92"></a><span class="tm">13:25:06</span><span class="nk"> <kbsingh></span> i wonder if we can have people do scratch builds, and the results be a consideation for people doing the pulls |
| <a name="l-93"></a><span class="tm">13:25:16</span><span class="nk"> <alphacc></span> <span class="hi">gwd:</span> koji should not become a CI. |
| <a name="l-94"></a><span class="tm">13:25:28</span><span class="nk"> <MerlinTHP_></span> Yeah, koji isn't great for CI |
| <a name="l-95"></a><span class="tm">13:25:37</span><span class="nk"> <kbsingh></span> i dont think gwd is talking CI though |
| <a name="l-96"></a><span class="tm">13:25:51</span><span class="nk"> <MerlinTHP_></span> Right. |
| <a name="l-97"></a><span class="tm">13:25:53</span><span class="nk"> <kbsingh></span> were not testing the code, per se - its just to make sure the branch is buildable |
| <a name="l-98"></a><span class="tm">13:26:04</span><span class="nk"> <kbsingh></span> maybe --scratch builds might be a middle ground there ? |
| <a name="l-99"></a><span class="tm">13:26:05</span><span class="nk"> <alphacc></span> Yes just a warning, casue I have koji users :) |
| <a name="l-100"></a><span class="tm">13:26:21</span><span class="nk"> <gwd></span> Just because it build via an SRPM doesn't mean it will build from a git tree. :-) |
| <a name="l-101"></a><span class="tm">13:26:44</span><span class="nk"> <MerlinTHP_></span> There's not that much difference between koji building a package and mock on a user box, as long as mock is using the koji repos. |
| <a name="l-102"></a><span class="tm">13:26:54</span><span class="nk"> <kbsingh></span> <span class="hi">gwd:</span> right, but koji only ever builds from a srpm - the git is just where the srpm is stored, were never building from git |
| <a name="l-103"></a><span class="tm">13:27:15</span><span class="nk"> <kbsingh></span> when koji gets a build-this, it git checksout, make it into an srpm - then does the mock run to build rpms out of it |
| <a name="l-104"></a><span class="tm">13:27:17</span><span class="nk"> <MerlinTHP_></span> Well, koji pulls the source from git and builds a srpm |
| <a name="l-105"></a><span class="tm">13:27:24</span><span class="nk"> <alphacc></span> <span class="hi">kbsingh:</span> yes |
| <a name="l-106"></a><span class="tm">13:27:24</span><span class="nk"> <MerlinTHP_></span> Yeah, tha |
| <a name="l-107"></a><span class="tm">13:27:25</span><span class="nk"> <MerlinTHP_></span> t |
| <a name="l-108"></a><span class="tm">13:28:13</span><span class="nk"> <bstinson></span> (bringing it back in a little bit) it sounds to me like we aren't quite ready to talk about long-term auth |
| <a name="l-109"></a><span class="tm">13:28:21</span><span class="nk"> <kbsingh></span> <span class="hi">nutshell:</span> gwd's point is that people need to be able to propose changes, without running their own buildsystems. right ? |
| <a name="l-110"></a><span class="tm">13:28:24 </span><span class="nka">* MerlinTHP_</span> <span class="ac">is getting that ;)</span> |
| <a name="l-111"></a><span class="tm">13:28:28</span><span class="nk"> <MerlinTHP_></span> +feeling |
| <a name="l-112"></a><span class="tm">13:29:30</span><span class="nk"> <bstinson></span> what can we do in the short term to get people access to the lookaside caches? i know that's come up a couple of times |
| <a name="l-113"></a><span class="tm">13:29:45</span><span class="nk"> <MerlinTHP_></span> Auth with the same SSL cert they use for koji? |
| <a name="l-114"></a><span class="tm">13:30:10</span><span class="nk"> <alphacc></span> <span class="hi">bstinson:</span> I think we need at least docs on the process will be handled. |
| <a name="l-115"></a><span class="tm">13:30:27</span><span class="nk"> <MerlinTHP_></span> The upload script for fedora's lookaside is public, and can be easily adapted to our cache |
| <a name="l-116"></a><span class="tm">13:31:07</span><span class="nk"> <MerlinTHP_></span> I can hunt that out if there's interest |
| <a name="l-117"></a><span class="tm">13:31:07</span><span class="nk"> <alphacc></span> <span class="hi">MerlinTHP_:</span> can it be part of centpkg ? |
| <a name="l-118"></a><span class="tm">13:31:11</span><span class="nk"> <kbsingh></span> are we talking about https://git.centos.org/sources/ ? |
| <a name="l-119"></a><span class="tm">13:31:26</span><span class="nk"> <bstinson></span> <span class="hi">kbsingh:</span> yes |
| <a name="l-120"></a><span class="tm">13:31:27</span><span class="nk"> <MerlinTHP_></span> Yeah |
| <a name="l-121"></a><span class="tm">13:31:35</span><span class="nk"> <kbsingh></span> the privileged path to that store is via ssh or rsync over ssh at the moment |
| <a name="l-122"></a><span class="tm">13:31:42</span><span class="nk"> <Evolution></span> 868963 |
| <a name="l-123"></a><span class="tm">13:31:43</span><span class="nk"> <MerlinTHP_></span> Hmm |
| <a name="l-124"></a><span class="tm">13:31:58</span><span class="nk"> <kbsingh></span> but its a flat filesystem, so a cgi script ( like what fedora use ) might be easy to adapt, and we can protect branches at the unix level |
| <a name="l-125"></a><span class="tm">13:32:09</span><span class="nk"> <Evolution></span> 195082 |
| <a name="l-126"></a><span class="tm">13:32:16</span><span class="nk"> <kbsingh></span> ( ie. I can make sure the buildsystem and distro branches are owned by someone else ) |
| <a name="l-127"></a><span class="tm">13:32:27</span><span class="nk"> <kbsingh></span> <span class="hi">Evolution:</span> move your yubi key to a different usb port |
| <a name="l-128"></a><span class="tm">13:32:32</span><span class="nk"> <MerlinTHP_></span> Heh |
| <a name="l-129"></a><span class="tm">13:32:36</span><span class="nk"> <alphacc></span> ah ah |
| <a name="l-130"></a><span class="tm">13:32:39</span><span class="nk"> <Evolution></span> bah, was dialing phone. |
| <a name="l-131"></a><span class="tm">13:32:47</span><span class="nk"> <kbsingh></span> alternatively, folks - anyone needing to break into Evolution's 2FA accounts, you ahve about 180 seconds to use those two codes |
| <a name="l-132"></a><span class="tm">13:32:48 </span><span class="nka">* Evolution</span> <span class="ac">moves laptop</span> |
| <a name="l-133"></a><span class="tm">13:32:50</span><span class="nk"> <MerlinTHP_></span> No, you weren't ;) |
| <a name="l-134"></a><span class="tm">13:32:55</span><span class="nk"> <bstinson></span> heh |
| <a name="l-135"></a><span class="tm">13:33:18</span><span class="nk"> <kbsingh></span> i need a better keyboard, way too many typos |
| <a name="l-136"></a><span class="tm">13:33:31</span><span class="nk"> <bstinson></span> <span class="hi">alphacc:</span> to answer your question, it's already built into rpkg we just need to figure out how to say if a user has upload privs or not |
| <a name="l-137"></a><span class="tm">13:33:32</span><span class="nk"> <kbsingh></span> so, what / how would centpkg integrate with the sources / lookaside push ? |
| <a name="l-138"></a><span class="tm">13:33:47</span><span class="nk"> <MerlinTHP_></span> centpkg has upload support |
| <a name="l-139"></a><span class="tm">13:33:57</span><span class="nk"> <MerlinTHP_></span> It needs tweaking for centos' cache layout |
| <a name="l-140"></a><span class="tm">13:34:11</span><span class="nk"> <MerlinTHP_></span> It does an HTTPS request with the client cert for auth |
| <a name="l-141"></a><span class="tm">13:34:42</span><span class="nk"> <MerlinTHP_></span> sorry, rpkg has that, centpkg can override that code |
| <a name="l-142"></a><span class="tm">13:35:02</span><span class="nk"> <alphacc></span> ok |
| <a name="l-143"></a><span class="tm">13:35:14</span><span class="nk"> <kbsingh></span> what do we need on the server to support that push ? |
| <a name="l-144"></a><span class="tm">13:35:31</span><span class="nk"> <MerlinTHP_></span> A CGI script on an HTTPS server with some client auth config |
| <a name="l-145"></a><span class="tm">13:35:41</span><span class="nk"> <MerlinTHP_></span> So cgi + httpd config |
| <a name="l-146"></a><span class="tm">13:35:47</span><span class="nk"> <kbsingh></span> what sort of auth backend can that support ? |
| <a name="l-147"></a><span class="tm">13:36:05</span><span class="nk"> <kbsingh></span> also, upload via https.... is going to need some multipart fluffery |
| <a name="l-148"></a><span class="tm">13:36:40</span><span class="nk"> <MerlinTHP_></span> That bit is a solved problem, afaik. rpkg already does it |
| <a name="l-149"></a><span class="tm">13:36:57</span><span class="nk"> <MerlinTHP_></span> The server validates the client cert against our CA |
| <a name="l-150"></a><span class="tm">13:37:14</span><span class="nk"> <MerlinTHP_></span> Needs a CRL to be able to revoke certs. |
| <a name="l-151"></a><span class="tm">13:38:14</span><span class="nk"> <kbsingh></span> right, so this would then share the ca with koji ? |
| <a name="l-152"></a><span class="tm">13:38:19</span><span class="nk"> <MerlinTHP_></span> Yeah |
| <a name="l-153"></a><span class="tm">13:38:39</span><span class="nk"> <kbsingh></span> and we'd need to have git.centos.org also then use the same CA |
| <a name="l-154"></a><span class="tm">13:38:47</span><span class="nk"> <MerlinTHP_></span> Mm |
| <a name="l-155"></a><span class="tm">13:38:55</span><span class="nk"> <MerlinTHP_></span> IPA getting more attractive by the second... |
| <a name="l-156"></a><span class="tm">13:38:56</span><span class="nk"> <MerlinTHP_></span> ;) |
| <a name="l-157"></a><span class="tm">13:39:31</span><span class="nk"> <alphacc></span> if we keep the koji CA (and use it for soemthing else) we may want to move easy_rsa + git-crypt (for scaling issue) |
| <a name="l-158"></a><span class="tm">13:39:37</span><span class="nk"> <alphacc></span> or FreeIPA ;) |
| <a name="l-159"></a><span class="tm">13:40:36</span><span class="nk"> <gwd></span> I'm more of a stout man myself... |
| <a name="l-160"></a><span class="tm">13:40:40</span><span class="nk"> <kbsingh></span> gitblit can maknss calls as well if that makes life easier |
| <a name="l-161"></a><span class="tm">13:40:53</span><span class="nk"> <kbsingh></span> can make nss |
| <a name="l-162"></a><span class="tm">13:41:22</span><span class="nk"> <kbsingh></span> from the git.centos.org perspective, we can use pretty much anything and it will consume it . |
| <a name="l-163"></a><span class="tm">13:41:27 </span><span class="nka">* MerlinTHP_</span> <span class="ac">nods.</span> |
| <a name="l-164"></a><span class="tm">13:41:49</span><span class="nk"> <kbsingh></span> there are 2 things that we need to protect though - (1) there is always going to be a privileged path for rhel sources and buildsystem feedback - both of those can never fail |
| <a name="l-165"></a><span class="tm">13:42:09</span><span class="nk"> <kbsingh></span> and (2) we need a way to gurantee branch names and commit access to branch names is locked down |
| <a name="l-166"></a><span class="tm">13:42:33</span><span class="nk"> <bstinson></span> does gitblit currently give you that control? |
| <a name="l-167"></a><span class="tm">13:42:34</span><span class="nk"> <kbsingh></span> so if the auth setup is going to happen at koji CA - that needs to provide a user:sig name mapping which can be used to map users:branch |
| <a name="l-168"></a><span class="tm">13:42:34</span><span class="nk"> <MerlinTHP_></span> Can gitblit do that per-branch stuff? |
| <a name="l-169"></a><span class="tm">13:42:38</span><span class="nk"> <kbsingh></span> <span class="hi">bstinson:</span> yes. |
| <a name="l-170"></a><span class="tm">13:42:52</span><span class="nk"> <MerlinTHP_></span> Hrm |
| <a name="l-171"></a><span class="tm">13:43:20</span><span class="nk"> <MerlinTHP_></span> We need more than just a CA for this |
| <a name="l-172"></a><span class="tm">13:43:30</span><span class="nk"> <MerlinTHP_></span> CA + something with groups and things like that. |
| <a name="l-173"></a><span class="tm">13:43:33</span><span class="nk"> <kbsingh></span> I worked with the author of gitblit ( james moger ) to work that in, and I've made some more tweaks at this end that make it work quite nicely |
| <a name="l-174"></a><span class="tm">13:43:49</span><span class="nk"> <MerlinTHP_></span> That's cool. |
| <a name="l-175"></a><span class="tm">13:44:10</span><span class="nk"> <kbsingh></span> for the git code itself, and the lookaside cache - the privleged path is via ssh |
| <a name="l-176"></a><span class="tm">13:44:28</span><span class="nk"> <kbsingh></span> and gitblit does not mind that, it will happy refresh local git content cache if it finds the underlaying storage changee |
| <a name="l-177"></a><span class="tm">13:44:53</span><span class="nk"> <MerlinTHP_></span> I'd have assumed that git+ssh was the default push method anyway |
| <a name="l-178"></a><span class="tm">13:45:06</span><span class="nk"> <kbsingh></span> fwiw, gitolite can also consume and implement a user:branch mapping |
| <a name="l-179"></a><span class="tm">13:45:37</span><span class="nk"> <kbsingh></span> push mode for git is over https |
| <a name="l-180"></a><span class="tm">13:45:41</span><span class="nk"> <MerlinTHP_></span> Oh, ok |
| <a name="l-181"></a><span class="tm">13:45:54</span><span class="nk"> <kbsingh></span> thinking there is that if we need entity verification, an EV cert will give you that |
| <a name="l-182"></a><span class="tm">13:46:31</span><span class="nk"> <MerlinTHP_></span> Do we have a cert revocation system for the current koji CA? |
| <a name="l-183"></a><span class="tm">13:46:48</span><span class="nk"> <MerlinTHP_></span> If I lose my laptop with koji cert now, what happens? |
| <a name="l-184"></a><span class="tm">13:47:09</span><span class="nk"> <alphacc></span> <span class="hi">MerlinTHP_:</span> we can revoke access to koji |
| <a name="l-185"></a><span class="tm">13:47:23</span><span class="nk"> <alphacc></span> <span class="hi">MerlinTHP_:</span> no crl right now but agreed it's needed. |
| <a name="l-186"></a><span class="tm">13:47:55</span><span class="nk"> <MerlinTHP_></span> Is that turn off the user, or turn off the cert? |
| <a name="l-187"></a><span class="tm">13:48:05</span><span class="nk"> <MerlinTHP_></span> ( so to speak ) |
| <a name="l-188"></a><span class="tm">13:48:16</span><span class="nk"> <alphacc></span> <span class="hi">MerlinTHP_:</span> user |
| <a name="l-189"></a><span class="tm">13:48:21 </span><span class="nka">* MerlinTHP_</span> <span class="ac">nods.</span> |
| <a name="l-190"></a><span class="tm">13:49:02</span><span class="nk"> <bstinson></span> ok, let's start wrapping up |
| <a name="l-191"></a><span class="tm">13:49:07</span><span class="nk"> <alphacc></span> <span class="hi">MerlinTHP_:</span> user-rsa when Arrfab show me it existed. I don't want to reinvent the wheel. |
| <a name="l-192"></a><span class="tm">13:49:16</span><span class="nk"> <MerlinTHP_></span> <span class="hi">alphacc:</span> *nod* |
| <a name="l-193"></a><span class="tm">13:49:23</span><span class="nk"> <alphacc></span> <span class="hi">MerlinTHP_:</span> easy_rsa |
| <a name="l-194"></a><span class="tm">13:49:26</span><span class="nk"> <MerlinTHP_></span> Being a CA is a PITA. |
| <a name="l-195"></a><span class="tm">13:49:45</span><span class="nk"> <MerlinTHP_></span> OK, so, do we have any sort of consensus? :) |
| <a name="l-196"></a><span class="tm">13:49:54</span><span class="nk"> <MerlinTHP_></span> Or anything to have a consensus about |
| <a name="l-197"></a><span class="tm">13:50:34</span><span class="nk"> <MerlinTHP_></span> koji requires either SSL or KRB auth, and we're using SSL. Trying to use that for everything we can sounds appropriate? |
| <a name="l-198"></a><span class="tm">13:50:44</span><span class="nk"> <MerlinTHP_></span> Sounds like g.c.o can use it |
| <a name="l-199"></a><span class="tm">13:51:07</span><span class="nk"> <bstinson></span> so (if i'm understanding correctly), we want gitblit to talk to the koji CA but we need to work out some name:sig mappings, and we want to look at having the lookaside cache use the fedora-style cgi script |
| <a name="l-200"></a><span class="tm">13:51:08</span><span class="nk"> <MerlinTHP_></span> We need a way to store cert / user / group / sig info |
| <a name="l-201"></a><span class="tm">13:52:00</span><span class="nk"> <kbsingh></span> yeah, if we can get some groups info in there that would rock |
| <a name="l-202"></a><span class="tm">13:52:16</span><span class="nk"> <MerlinTHP_></span> OK |
| <a name="l-203"></a><span class="tm">13:52:16</span><span class="nk"> <kbsingh></span> if not, we can always store user:group mappings in gitblit itself, and just have it querry the CA for auth |
| <a name="l-204"></a><span class="tm">13:52:31</span><span class="nk"> <MerlinTHP_></span> I reckon we probably want that centrally too |
| <a name="l-205"></a><span class="tm">13:52:41</span><span class="nk"> <kbsingh></span> and i presume the upload script can do something with the same CA as well ... if so - then we should trial it - or start trialing it at git.dev.centos.org |
| <a name="l-206"></a><span class="tm">13:52:53</span><span class="nk"> <kbsingh></span> yeah, ideally all the info would be in one place |
| <a name="l-207"></a><span class="tm">13:53:01</span><span class="nk"> <MerlinTHP_></span> It's the httpd config rather than the script itself, but yeah |
| <a name="l-208"></a><span class="tm">13:53:40</span><span class="nk"> <kbsingh></span> ah i see |
| <a name="l-209"></a><span class="tm">13:53:50</span><span class="nk"> <kbsingh></span> but will that be able to map user's to dir names ? |
| <a name="l-210"></a><span class="tm">13:53:59</span><span class="nk"> <bstinson></span> once all that's in place we can sculpt centpkg around our setup |
| <a name="l-211"></a><span class="tm">13:54:04</span><span class="nk"> <kbsingh></span> eg. if someone is locked to branch 'virtsig' they can only upload into <packagename>/virtsig/ |
| <a name="l-212"></a><span class="tm">13:54:17</span><span class="nk"> <MerlinTHP_></span> <span class="hi">kbsingh:</span> ok, that bit would need script changes :) |
| <a name="l-213"></a><span class="tm">13:54:40</span><span class="nk"> <MerlinTHP_></span> the httpd-level stuff is authn, the authz would need to be in the script, I think |
| <a name="l-214"></a><span class="tm">13:55:28</span><span class="nk"> <bstinson></span> Is MerlinTHP_ volunteering to look at that for the next meeting? |
| <a name="l-215"></a><span class="tm">13:55:36</span><span class="nk"> <MerlinTHP_></span> Sure |
| <a name="l-216"></a><span class="tm">13:56:30</span><span class="nk"> <bstinson></span> ok, great! |
| <a name="l-217"></a><span class="tm">13:56:35</span><span class="nk"> <MerlinTHP_></span> :) |
| <a name="l-218"></a><span class="tm">13:56:47</span><span class="nk"> <MerlinTHP_></span> Running out of meeting |
| <a name="l-219"></a><span class="tm">13:56:48</span><span class="nk"> <kbsingh></span> when are we meeting next ? |
| <a name="l-220"></a><span class="tm">13:56:54</span><span class="nk"> <MerlinTHP_></span> Same time next week? |
| <a name="l-221"></a><span class="tm">13:57:09</span><span class="nk"> <kbsingh></span> ok, weekly works, but longer term we should think about making it bi-weekly |
| <a name="l-222"></a><span class="tm">13:57:13</span><span class="nk"> <MerlinTHP_></span> Sure |
| <a name="l-223"></a><span class="tm">13:57:18</span><span class="nk"> <kbsingh></span> maybe do ~ 6 weekly ones ? |
| <a name="l-224"></a><span class="tm">13:57:21</span><span class="nk"> <bstinson></span> <span class="cmd">#info </span><span class="cmdline">Next meeting: Monday 22-Sept 2014 13:00 UTC</span> |
| <a name="l-225"></a><span class="tm">13:57:36</span><span class="nk"> <bstinson></span> <span class="hi">kbsingh:</span> that's reasonable |
| <a name="l-226"></a><span class="tm">13:57:40 </span><span class="nka">* MerlinTHP_</span> <span class="ac">nods.</span> |
| <a name="l-227"></a><span class="tm">13:58:12</span><span class="nk"> <bstinson></span> <span class="cmd">#info </span><span class="cmdline">We will be doing 6 weekly meetings, then moving to a bi-weekly schedule</span> |
| <a name="l-228"></a><span class="tm">13:58:14</span><span class="nk"> <lalatenduM></span> works for /Me |
| <a name="l-229"></a><span class="tm">13:58:24</span><span class="nk"> <MerlinTHP_></span> Is there a meetbot give-merlinthp-an-action command? ;) |
| <a name="l-230"></a><span class="tm">13:58:41 </span><span class="nka">* MerlinTHP_</span> <span class="ac">should read the manual</span> |
| <a name="l-231"></a><span class="tm">13:59:20</span><span class="nk"> <lalatenduM></span> does "#action" work |
| <a name="l-232"></a><span class="tm">13:59:21</span><span class="nk"> <bstinson></span> <span class="cmd">#action </span><span class="cmdline">MerlinTHP_ Research lookaside cache authentication and upload permissions</span> |
| <a name="l-233"></a><span class="tm">13:59:35</span><span class="nk"> <MerlinTHP_></span> Ah :) |
| <a name="l-234"></a><span class="tm">13:59:42</span><span class="nk"> <bstinson></span> i think i said that right |
| <a name="l-235"></a><span class="tm">13:59:52</span><span class="nk"> <MerlinTHP_></span> Works for me. |
| <a name="l-236"></a><span class="tm">13:59:54</span><span class="nk"> <bstinson></span> anything else that needs to go in the minutes? |
| <a name="l-237"></a><span class="tm">14:00:07</span><span class="nk"> <kbsingh></span> is someone going to look at storing user:groups in the koji auth layers |
| <a name="l-238"></a><span class="tm">14:00:18</span><span class="nk"> <MerlinTHP_></span> I'll have a think about that too |
| <a name="l-239"></a><span class="tm">14:00:19</span><span class="nk"> <kbsingh></span> there must be something like this already - since users are limited to some tag's and targets |
| <a name="l-240"></a><span class="tm">14:00:27</span><span class="nk"> <kbsingh></span> cant those just be the groups and sig names as well |
| <a name="l-241"></a><span class="tm">14:01:32</span><span class="nk"> <alphacc></span> <span class="hi">kbsingh:</span> user are limited to the tagging action not to some target. This policy stuff need investigation. I don't think there is a group directive. |
| <a name="l-242"></a><span class="tm">14:02:54</span><span class="nk"> <MerlinTHP_></span> OK, so we done with the meeting? :) |
| <a name="l-243"></a><span class="tm">14:02:59</span><span class="nk"> <bstinson></span> <span class="hi">gwd:</span> i think that was you who sent a message to -devel with other agenda items, sorry our discussion sort of trampled over yours |
| <a name="l-244"></a><span class="tm">14:03:00</span><span class="nk"> <alphacc></span> <span class="cmd">#action </span><span class="cmdline">alphacc investigate koji policy for cbs.</span> |
| <a name="l-245"></a><span class="tm">14:03:08</span><span class="nk"> <bstinson></span> hopefully there will be time for an open-flood next week |
| <a name="l-246"></a><span class="tm">14:03:53</span><span class="nk"> <bstinson></span> <span class="cmd">#info </span><span class="cmdline">send agenda items for next week to the centos-devel@centos.org</span> |
| <a name="l-247"></a><span class="tm">14:04:01</span><span class="nk"> <bstinson></span> 1 minute warning before I close the minutes |
| <a name="l-248"></a><span class="tm">14:04:16</span><span class="nk"> <MerlinTHP_></span> I'm good. |
| <a name="l-249"></a><span class="tm">14:04:44</span><span class="nk"> <kbsingh></span> same here |
| <a name="l-250"></a><span class="tm">14:05:02</span><span class="nk"> <kbsingh></span> i think were going to need some of these sessions of just open chat before we start working on and only on agenda items. |
| <a name="l-251"></a><span class="tm">14:05:04</span><span class="nk"> <alphacc></span> ok with me. |
| <a name="l-252"></a><span class="tm">14:05:28</span><span class="nk"> <bstinson></span> sure thing |
| <a name="l-253"></a><span class="tm">14:05:31</span><span class="nk"> <bstinson></span> <span class="cmd">#endmeeting</span><span class="cmdline"></span></pre> |
| </body></html> |