Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Generate and maintain repository metadata in tree #46

Draft
wants to merge 2 commits into
base: main
Choose a base branch
from

Conversation

legoktm
Copy link
Member

@legoktm legoktm commented Jul 12, 2023

Let's match the securedrop-apt-prod process by generating metadata at
commit-time instead of doing it on the server.

The publish script takes care to generate reproducible output by
fixing the mtime of all the RPMs and telling createrepo_c what the
time should be.

CI verifies the generated metadata is up to date and fully reproducible
using the --reproduce flag.

Refs https://github.com/freedomofpress/infrastructure/issues/4241.

Test plan

  • Visual review
  • CI passes
  • Add any RPM to the f37 folder, run ./tools/publish locally, see metadata files change. Stage these changes
  • Run ./tools/publish --reproduce, you should see no changes to the files compared to the previous step

@legoktm
Copy link
Member Author

legoktm commented Jul 12, 2023

Missing:

  • CI verification that metadata is up to date
  • infra-side changes to serve out of the public/ folder

@legoktm legoktm force-pushed the in-tree-metadata branch 3 times, most recently from e0a8f80 to a0f8dcc Compare August 4, 2023 01:56
@legoktm
Copy link
Member Author

legoktm commented Aug 8, 2023

For some reason I can reproduce the metadata locally in a plain debian:bookworm container using the tools/publish script, but whatever is running in GHA is generating something different.

@legoktm
Copy link
Member Author

legoktm commented Aug 8, 2023

https://gist.github.com/legoktm/ed61fa944bddd81cf5f8b9e4bbf9ed01 is what the current diff looks like. Going to take a break because I'm a bit at a loss of what to do, in theory we're setting proper mtimes on the files and are even running createrepo_c under faketime.

@eloquence
Copy link
Member

@legoktm Gentle nudge on this - is that on the radar for the near-term? If so, do you need any help to get unblocked?

@legoktm
Copy link
Member Author

legoktm commented Feb 14, 2024

I still would like to do this but it's not on my list right now since I'm not doing RPMy things. Hopefully in the sprint towards 4.2 I'll get to revisit this.

@legoktm legoktm force-pushed the in-tree-metadata branch from 77e6ed8 to e82c852 Compare July 16, 2024 20:42
@legoktm
Copy link
Member Author

legoktm commented Jul 16, 2024

Yessssss. It's reproducible now. I need to clean up the Git history and then send a PR in for the infra changes and then we can coordinate rollout.

legoktm added 2 commits July 22, 2024 16:25
Let's match the securedrop-apt-prod process by generating metadata at
commit-time instead of doing it on the server.

The publish script takes care to generate reproducible output by
fixing the mtime of all the RPMs and telling `createrepo_c` what the
time should be.

CI verifies the generated metadata is up to date and fully reproducible
using the `--reproduce` flag.
@legoktm legoktm force-pushed the in-tree-metadata branch from 8bff81f to 8eb052a Compare July 22, 2024 20:30
@legoktm legoktm changed the title WIP: Generate and maintain repository metadata in tree Generate and maintain repository metadata in tree Jul 22, 2024
@legoktm legoktm marked this pull request as ready for review July 22, 2024 21:22
@zenmonkeykstop zenmonkeykstop self-requested a review August 8, 2024 19:03
@zenmonkeykstop zenmonkeykstop requested review from rocodes and removed request for zenmonkeykstop September 5, 2024 16:22
Copy link
Contributor

@rocodes rocodes left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Test plan

  • Visual review
  • CI passes
  • Add any RPM to the f37 folder, run ./tools/publish locally, see metadata files change. Stage these changes
  • Run ./tools/publish --reproduce, you should see no changes to the files compared to the previous step

@legoktm
Copy link
Member Author

legoktm commented Oct 1, 2024

Thanks for the approval, I'm going to move this back into draft mode just because it also needs coordinated changes in the infrastructure repo.

@legoktm legoktm marked this pull request as draft October 1, 2024 23:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
Status: Blocked
Development

Successfully merging this pull request may close these issues.

3 participants