-
Notifications
You must be signed in to change notification settings - Fork 65
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
downstream: enhance release process #230
Comments
Can you elaborate a bit on what you mean by tagging? And what's a "release"? Are we trying to e.g. snapshot media/images together with the ostree commit? |
This is the conversation I was thinking of: #206 (comment) |
Oh, we should definitely add git tags. Why not? |
So by release, I'm thinking 7.20160224, 7.20160404, etc. So we'd add a git tag for downstream-7.20170117. And then my thought is that KB's script could pick up on that. I was just noticing that you do releases differently for alpha, so I wanted to ask about that. |
Oh, I see. Using git tags instead of the |
What do you think? https://github.com/CentOS/sig-atomic-buildscripts/releases It creates the tag along w/ a space to put some release info. I just linked to the ML message. |
LGTM other than that I'd always GPG sign git tags (preferably with https://github.com/cgwalters/git-evtag ) |
OK, I re-did it w/ git-evtag. @kbsingh Can we script the process of looking for new downstream releases, and rsyncing into place the associated version of the tree from your nightly composer? So, for the next release, I'd update the metadata as needed, we'd test the updated tree, and when things are ready, I'd cut a new release, and the signed tree would fall into place? |
@kbsingh Any comment on this? I'd like to get a new release out asap. |
Since there is no real state maintained in the CI infra, it would be tricky working out when a new tag shows up, however its worth a try. If you go ahead and create a tag, lets try it. |
@kbsingh it it looks OK, can you go ahead and do it? Or grant access to Jbrooks so that he can? It would be really nice if CAH releases were as reliable as Fedora ones are now. |
OK, I created a new tag: https://github.com/CentOS/sig-atomic-buildscripts/tree/downstream-7.20170209 |
Fedora has added a new "updates" ref, which automatically updates as new packages become stable out of bodhi, so if a user wants to be running the latest stable pkgs, rather than wait for the next two week release, they can do that. I'd like to have a similar thing for centos atomic. I have some ideas on how that could work: First, we could tweak the existing Second, we could start including the id of a tested commit from the updates ref in the body of the release tags we're now creating for downstream releases. Then we put in place a new script that would look at the latest tag in the downstream git repo ( If the version in the tag and the version in the tree didn't match, that'd mean that there's a new release that's tested and tagged and ready to be made available in the The script would then mirror the repo, and add the updates ref commit referenced in the release tag to the "stable" ref, including the version number from the tag:
Then we'd rsync the updated tree back into place. |
But in CentOS we don't have an updates stream apart from the Core rebuilds right? Or are you thinking of changing that? Are we trying to solve "test the core rebuild ref before promoting it"? Or are we trying to solve e.g. async security errata, like what happened with kernel a while back? |
We released a new version of the host this week, but the updated packages for that release have been in centos extras since Jan 23. I want to narrow that sort of gap. If there was an async security errata situation, this could help with that as well, but in a case like that, I think we'd consider updating the regular ref as well. A setup like this would both speed our regular releases and allow users to access updated content as soon as it's available, if they chose. |
Relevant to this: CAH is now an entire release cycle behind. So clearly "let's just keep doing what we're doing" is not a realistic option. |
proposed release changes
move to buildlogs
|
With baseline CentOS - the monthly new media rolls up the RHEL z-stream security errata mostly right? Or is there anything else going on there? The monthly centos cycle being potentially out-of-line with RHELAH/Extras seems...weird. Why not try to align? I'm a big fan of moving to https. |
Updating every six weeks means that cah users must wait longer than regular centos users for access to security errata. That's one big downside of alignment, but it'd be less of an issue if we added an updates ref. We've lacked regularity in our cah releases. I want that. CentOS revs on a monthly schedule now, with naming attached to that. I'd like to be on that same train. And on that model, if core CentOS opted to do an extra release for a security issue, cah could follow suit. Whether we ship monthly or ~6 weekly, I'd still like to have the second updates ref. |
I guess my vote is following base centos - rolling up security errata feels like a very important property. The out-of-sync nature of Extras/RHELAH with this will be an issue but if we do the updates ref too, seems OK. |
@cgwalters We've talked a bit about tagging downstream releases so that we can associate a particular state of the metadata in the repo with a given release. I was looking at how you do alpha releases, but that seems tied up in ci -- do you have thoughts about how we should do this for downstream releases?
Also, @kbsingh and I were talking in the meeting last week about setting up a process where, upon some release tagging event that happens in the repo, we'd have the nightly signed tree that KB is producing cut over to the official release location, allowing us to bring more automation to downstream releases.
Does that sound like something that'd work with the sort of release tagging I mentioned above?
The text was updated successfully, but these errors were encountered: