May 2022 - Arch-projects - lists.archlinux.org

[repod] Next meeting: 2022-06-08 19:00 CEST
by David Runge 17 May '22

17 May '22

Hi all, the next meeting for repod will take place on jitsi on 2022-06-08 19:00CEST. https://meet.jit.si/20220608-repod This is in three weeks, whereas it is usually in two weeks (I don't have time that week). Best, David -- https://sleepmap.de

1 0

[repod] Next meeting: 2022-05-17
by David Runge 17 May '22

17 May '22

Hi all, the next meeting for repod will take place on jitsi on 2022-05-17 19:00CEST. https://meet.jit.si/20220517-repod This is a Tuesday (tomorrow), whereas usually it is a Wednesday (I just am not available this Wednesday). Best, David -- https://sleepmap.de

2 3

[arch-projects] [repod] The arch-repo-management project has been renamed to repod
by David Runge 06 May '22

06 May '22

Hi all, just a short heads up, that the arch-repo-management project has been renamed to repod: https://gitlab.archlinux.org/archlinux/repod/ A redirect for the old name to the new name exists. Best, David -- https://sleepmap.de

1 0

[arch-projects] [arch-repo-management] 2022-05-04 meeting notes
by Brett Cornwall 04 May '22

04 May '22

Formatted minutes can be viewed here: https://md.archlinux.org/s/rdnf9nzXj Raw Markdown (still hoping for an easy md→text conversion that formats links in a citation style...) # Arch-repo-management 2022-05-04 meeting Date: 2022-05-04T17:00:00Z Location: Jitsi Scribe: Brett (ainola) ## Attendees * Brett (ainola) * dvzrv * Torxed * wCPO ## Agenda ### Documentation * dvzrv has [created extensive sphinx documentation about the project](https://gitlab.archlinux.org/archlinux/arch-repo-management/-/merg…! #### Hosting It would be nice to set up e.g. docs.archlinux.org as a central documentation platform related to Arch-related tooling/projects with each project having its own subdomain. For instance, repod.docs.archlinux.org. * The wiki is more about configuration/situational help whereas the docs site would be more extensive documentation about the project itself: Much of the specifics don't belong on the wiki. GitLab pages used for WKD docs, let's use pages for all of this documentation * docs.archlinux.org would be a landing page * CI/CD into a repository's GitLab pages * foo.docs.archlinux.org would point to that repo's gitlab page. #### Security concerns The Gitlab page could potentially maliciously set cookies for archlinux.org. Since documentation changes can be deployed without DevOps, the accepted stewards of infrastructure, it means that non-DevOps members could theoretically maliciously attack the main site. Refer: https://github.com/w3c/webappsec/issues/432 Suggestions for resolution: 1. Change https://archlinux.org to https://www.archlinux.org so that the main page is on a separate subdomain * This would likely cause our search rankings to reset. Cookies would have to be reworked to use the new domain 3. Disable JavaScript via CSP * This would break search functionality for the Sphinx theme 4. Use `<script-src>` [hash argument](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content… to restrict the JavaScript allowed to run (to be managed by DevOps) 5. Widen the range of trust to include more than DevOps members * This is the path of least resistance 6. Enhance archlinux.org security to require more than cookies to authenticate * Not trivial, unlikely to happen No resolution made, we will revisit in a few weeks' time after the PR has been merged. ### Next Steps * next up: [rename the project to repod](https://gitlab.archlinux.org/archlinux/arch-repo-management/-/issues… * start implementing the consumption of package metadata (e.g. [.MTREE](https://gitlab.archlinux.org/archlinux/arch-repo-management/-/issues/51), [.BUILDINFO](https://gitlab.archlinux.org/archlinux/arch-repo-management/-/issues/52) (also selection of [.BUILDINFO fields](https://gitlab.archlinux.org/archlinux/arch-repo-management/-/issue…) and [.PKGINFO](https://gitlab.archlinux.org/archlinux/arch-repo-management/-/issues/53))

2 1

[arch-projects] [arch-repo-management] 2022-04-20 meeting minutes
by Brett Cornwall 03 May '22

03 May '22

I apologize for the horrendous delay; I had forgotten about addressing my rejected mail to this list! Formatted meeting minutes can be viewed at: https://md.archlinux.org/s/BUpRiww_r A copy of the raw markdown (pandoc does a poor job converting to plain text, suggestions for other tools welcome): Date: 2022-04-20T17:00:00Z - 2022-04-20T18:13:00Z Location: Jitsi Scribe: ainola ## Attendees * ainola * artafinde * dvzrv * heftig * luna * Torxed * wCPO ## Agenda ### CI [renovate-bot](https://gitlab.archlinux.org/archlinux/renovate) was implemented for automating version bumps * Thanks to wCPO for setting that up * [Has a pipeline run on a schedule](https://gitlab.archlinux.org/archlinux/renovate/renovate/-/pipeli… to e.g. update lock files and scan through the poetry TOML files. It will create a Merge Request with that gruntwork already done for us for review. ([example MR](https://gitlab.archlinux.org/archlinux/arch-repo-management/-/merge_req…) * Needs a user to run - we have created a "[renovate](https://gitlab.archlinux.org/renovate)" user to run. ### Versioning (c.f. [previous discussion on the same topic](https://md.archlinux.org/_jsxpX_ySrGwu9u0EmSXtg#versions)) Changes are infrequent but they do happen; we need a way to upgrade the database in a sane way. * dvzrv has been working on [#42 (Implement JSON schema for package and database representation)](https://gitlab.archlinux.org/archlinux/arch-repo-managemen…) and [#29 (Make pgpsig an optional field)](https://gitlab.archlinux.org/archlinux/arch-repo-management/-/issue…) * Torxed is interested in this work due to similar issues in archinstall ### File management Torxed has been working on package file management via the CLI interface. Two stages right now (for testing): * Take a package and move it to a pool (via symlinks or hardlinks so that downloads don't need to happen when moving between repos) * Tag the package for a particular repository Transactions are a central design around this, so we can all expect to have e.g. staging environments still. #### Suggestions for improvement * prevent package removal from the pool if it's active * noop on adding identical packages * Fail if a newer version of the package already exists (Otherwise it's assumed to be a version bump and will be accepted) * Missing debug repositories, needs to be implemented #### Brainstorming * Do we want flexibility to have Subrepositories/ephemeral repositories for testing groups of packages (see [#47](https://gitlab.archlinux.org/archlinux/arch-repo-management/-/issues/47))?

1 0