Hi all,
the next meeting for repod will take place on jitsi on 2022-06-08
19:00CEST.
https://meet.jit.si/20220608-repod
This is in three weeks, whereas it is usually in two weeks (I don't have
time that week).
Best,
David
--
https://sleepmap.de
Hi all,
the next meeting for repod will take place on jitsi on 2022-05-17
19:00CEST.
https://meet.jit.si/20220517-repod
This is a Tuesday (tomorrow), whereas usually it is a Wednesday (I just
am not available this Wednesday).
Best,
David
--
https://sleepmap.de
Formatted minutes can be viewed here:
https://md.archlinux.org/s/rdnf9nzXj
Raw Markdown (still hoping for an easy md→text conversion that formats
links in a citation style...)
# Arch-repo-management 2022-05-04 meeting
Date: 2022-05-04T17:00:00Z
Location: Jitsi
Scribe: Brett (ainola)
## Attendees
* Brett (ainola)
* dvzrv
* Torxed
* wCPO
## Agenda
### Documentation
* dvzrv has [created extensive sphinx documentation about the project](https://gitlab.archlinux.org/archlinux/arch-repo-management/-/merg…!
#### Hosting
It would be nice to set up e.g. docs.archlinux.org as a central documentation platform related to Arch-related tooling/projects with each project having its own subdomain. For instance, repod.docs.archlinux.org.
* The wiki is more about configuration/situational help whereas the docs site would be more extensive documentation about the project itself: Much of the specifics don't belong on the wiki.
GitLab pages used for WKD docs, let's use pages for all of this documentation
* docs.archlinux.org would be a landing page
* CI/CD into a repository's GitLab pages
* foo.docs.archlinux.org would point to that repo's gitlab page.
#### Security concerns
The Gitlab page could potentially maliciously set cookies for archlinux.org. Since documentation changes can be deployed without DevOps, the accepted stewards of infrastructure, it means that non-DevOps members could theoretically maliciously attack the main site.
Refer: https://github.com/w3c/webappsec/issues/432
Suggestions for resolution:
1. Change https://archlinux.org to https://www.archlinux.org so that the main page is on a separate subdomain
* This would likely cause our search rankings to reset. Cookies would have to be reworked to use the new domain
3. Disable JavaScript via CSP
* This would break search functionality for the Sphinx theme
4. Use `<script-src>` [hash argument](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content… to restrict the JavaScript allowed to run (to be managed by DevOps)
5. Widen the range of trust to include more than DevOps members
* This is the path of least resistance
6. Enhance archlinux.org security to require more than cookies to authenticate
* Not trivial, unlikely to happen
No resolution made, we will revisit in a few weeks' time after the PR has been merged.
### Next Steps
* next up: [rename the project to repod](https://gitlab.archlinux.org/archlinux/arch-repo-management/-/issues…
* start implementing the consumption of package metadata (e.g. [.MTREE](https://gitlab.archlinux.org/archlinux/arch-repo-management/-/issues/51), [.BUILDINFO](https://gitlab.archlinux.org/archlinux/arch-repo-management/-/issues/52) (also selection of [.BUILDINFO fields](https://gitlab.archlinux.org/archlinux/arch-repo-management/-/issue…) and [.PKGINFO](https://gitlab.archlinux.org/archlinux/arch-repo-management/-/issues/53))
I apologize for the horrendous delay; I had forgotten about addressing
my rejected mail to this list!
Formatted meeting minutes can be viewed at:
https://md.archlinux.org/s/BUpRiww_r
A copy of the raw markdown (pandoc does a poor job converting to plain
text, suggestions for other tools welcome):
Date: 2022-04-20T17:00:00Z - 2022-04-20T18:13:00Z
Location: Jitsi
Scribe: ainola
## Attendees
* ainola
* artafinde
* dvzrv
* heftig
* luna
* Torxed
* wCPO
## Agenda
### CI
[renovate-bot](https://gitlab.archlinux.org/archlinux/renovate) was implemented for automating version bumps
* Thanks to wCPO for setting that up
* [Has a pipeline run on a schedule](https://gitlab.archlinux.org/archlinux/renovate/renovate/-/pipeli… to e.g. update lock files and scan through the poetry TOML files. It will create a Merge Request with that gruntwork already done for us for review. ([example MR](https://gitlab.archlinux.org/archlinux/arch-repo-management/-/merge_req…)
* Needs a user to run - we have created a "[renovate](https://gitlab.archlinux.org/renovate)" user to run.
### Versioning
(c.f. [previous discussion on the same topic](https://md.archlinux.org/_jsxpX_ySrGwu9u0EmSXtg#versions))
Changes are infrequent but they do happen; we need a way to upgrade the database in a sane way.
* dvzrv has been working on [#42 (Implement JSON schema for package and database representation)](https://gitlab.archlinux.org/archlinux/arch-repo-managemen…) and [#29 (Make pgpsig an optional field)](https://gitlab.archlinux.org/archlinux/arch-repo-management/-/issue…)
* Torxed is interested in this work due to similar issues in archinstall
### File management
Torxed has been working on package file management via the CLI interface.
Two stages right now (for testing):
* Take a package and move it to a pool (via symlinks or hardlinks so that downloads don't need to happen when moving between repos)
* Tag the package for a particular repository
Transactions are a central design around this, so we can all expect to have e.g. staging environments still.
#### Suggestions for improvement
* prevent package removal from the pool if it's active
* noop on adding identical packages
* Fail if a newer version of the package already exists (Otherwise it's assumed to be a version bump and will be accepted)
* Missing debug repositories, needs to be implemented
#### Brainstorming
* Do we want flexibility to have Subrepositories/ephemeral repositories for testing groups of packages (see [#47](https://gitlab.archlinux.org/archlinux/arch-repo-management/-/issues/47))?