nested git repos under qubes-os.org site (_doc _hcl)
49 views
Skip to first unread message
Zrubi
May 4, 2015, 10:45:22 AM5/4/15
to qubes...@googlegroups.com
Hi,
Not sure if it is designed this way or just happened... but:
Right now if I update the _doc (or _hcl) repo and want to make it go
live I have to update the main repo as well to see the changes.
Feels like overkill for me.
Do we really need this level of complexity?
Why not just link the master/head of those repos?
Or if you need more control drop our write rights and we will make pull
requests instead of direct editing. That would be still more comfortable.
Moreover: what if some external user will create a pull request?
One have to review, then accept that request, and also update the main
repo to make it live.
This would be reasonable only if we introduce four-eye rules for the
live web site ;)
--
Zrubi
Not sure if it is designed this way or just happened... but:
Right now if I update the _doc (or _hcl) repo and want to make it go
live I have to update the main repo as well to see the changes.
Feels like overkill for me.
Do we really need this level of complexity?
Why not just link the master/head of those repos?
Or if you need more control drop our write rights and we will make pull
requests instead of direct editing. That would be still more comfortable.
Moreover: what if some external user will create a pull request?
One have to review, then accept that request, and also update the main
repo to make it live.
This would be reasonable only if we introduce four-eye rules for the
live web site ;)
--
Zrubi
Marek Marczykowski-Górecki
May 4, 2015, 12:47:20 PM5/4/15
to Zrubi, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Mon, May 04, 2015 at 04:45:14PM +0200, Zrubi wrote:
> Hi,
>
> Not sure if it is designed this way or just happened... but:
>
> Right now if I update the _doc (or _hcl) repo and want to make it go
> live I have to update the main repo as well to see the changes.
>
> Feels like overkill for me.
>
> Do we really need this level of complexity?
> Why not just link the master/head of those repos?
Submodules are used here to make it easy to clone just documentation for
offline use, the same for HCL. Also for easier permission management.
For example if some parts will be automatically generated (automatic HCL
collection?), it's better to give that tool access only to the part it
needs, not the whole site.
Unfortunately submodules can't be pointed at branch (or other mutable
ref), only on commit ID. We might introduce a script which will watch
for changes in submodules, fetch them, verify git tag there and if
correct - automatically update main repository.
> Or if you need more control drop our write rights and we will make pull
> requests instead of direct editing. That would be still more comfortable.
>
> Moreover: what if some external user will create a pull request?
> One have to review, then accept that request, and also update the main
> repo to make it live.
>
> This would be reasonable only if we introduce four-eye rules for the
> live web site ;)
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBAgAGBQJVR6KSAAoJENuP0xzK19csjTQH/R6EswHdEhMMzabBjA4BUimX
sZ1fkUJ9F6lyOmX0+FBv7223nOqOQBsY529e68lceGLFtkMVQUAoI23sbqw45WDs
dKSrJHv7Vls8OXiUCkU1BHNQj7LCUt6xLdbw5ql5NF0rKonSiFtMufvwAXHoc/S6
1IydrPTAeslSVr3IMaemGIc4LvuDwyfwIPBTmuv3AvGhB3uuSt9XaB9ixWZC8GXt
7iEV0ZPz/7EyMDTz0iqz5hPep8kChsz7WDrXDvxWfrPV9Knlv47xSlctQg6iKRgS
0kRMcpkiZG5oHvkRPG8GPLZ3R02mSy8gGex8quPtxJB3hUx5pyIEh0T+owdzdRo=
=NwHK
-----END PGP SIGNATURE-----
Hash: SHA1
On Mon, May 04, 2015 at 04:45:14PM +0200, Zrubi wrote:
> Hi,
>
> Not sure if it is designed this way or just happened... but:
>
> Right now if I update the _doc (or _hcl) repo and want to make it go
> live I have to update the main repo as well to see the changes.
>
> Feels like overkill for me.
>
> Do we really need this level of complexity?
> Why not just link the master/head of those repos?
offline use, the same for HCL. Also for easier permission management.
For example if some parts will be automatically generated (automatic HCL
collection?), it's better to give that tool access only to the part it
needs, not the whole site.
Unfortunately submodules can't be pointed at branch (or other mutable
ref), only on commit ID. We might introduce a script which will watch
for changes in submodules, fetch them, verify git tag there and if
correct - automatically update main repository.
> Or if you need more control drop our write rights and we will make pull
> requests instead of direct editing. That would be still more comfortable.
>
> Moreover: what if some external user will create a pull request?
> One have to review, then accept that request, and also update the main
> repo to make it live.
>
> This would be reasonable only if we introduce four-eye rules for the
> live web site ;)
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBAgAGBQJVR6KSAAoJENuP0xzK19csjTQH/R6EswHdEhMMzabBjA4BUimX
sZ1fkUJ9F6lyOmX0+FBv7223nOqOQBsY529e68lceGLFtkMVQUAoI23sbqw45WDs
dKSrJHv7Vls8OXiUCkU1BHNQj7LCUt6xLdbw5ql5NF0rKonSiFtMufvwAXHoc/S6
1IydrPTAeslSVr3IMaemGIc4LvuDwyfwIPBTmuv3AvGhB3uuSt9XaB9ixWZC8GXt
7iEV0ZPz/7EyMDTz0iqz5hPep8kChsz7WDrXDvxWfrPV9Knlv47xSlctQg6iKRgS
0kRMcpkiZG5oHvkRPG8GPLZ3R02mSy8gGex8quPtxJB3hUx5pyIEh0T+owdzdRo=
=NwHK
-----END PGP SIGNATURE-----
Zrubi
May 5, 2015, 4:31:24 AM5/5/15
to qubes...@googlegroups.com
On 05/04/15 18:47, Marek Marczykowski-Górecki wrote:
> Unfortunately submodules can't be pointed at branch (or other mutable
> ref), only on commit ID.
Oh, I see.
> Unfortunately submodules can't be pointed at branch (or other mutable
> ref), only on commit ID.
> We might introduce a script which will watch
> for changes in submodules, fetch them, verify git tag there and if
> correct - automatically update main repository.
- if I commit to a submodule and want to make it live I have to verify
if other commits before I change the submodule commit ID?
- how should I update the submodules?
--
Zrubi
Marek Marczykowski-Górecki
May 5, 2015, 7:49:04 AM5/5/15
to Zrubi, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hash: SHA1
commit anything), right? ;)
> - how should I update the submodules?
git clone/pull qubesos.github.io...
git tag -v "`git describe`"
git submodule update
cd _doc
(make your changes)
git commit ...
git tag -s ...
git push --tags
cd ..
git commit -am 'doc update'
git tag -s ...
git push --tags
I will write a script to monitor submodules changes and automatically
update main repo - it will really simplify above procedure.
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
6ns/qFO/p1kcoZPts27LqfCodEY5IBUTozrQ5JLNPB3dK1vmNR2B9q4KhquDo9U5
mO8hDOeEAmrcB7pTPQZZrGlD6Mv4W/NdpzOktOQLJIazXodL5cTia+C46D3y99Tz
1fLfbaP/YxhWq40aTuCWw+M/vGG4UTi0TYKYhLKzPM/13OnI0xPJX8RW2ZIFyty/
l6zVfpLjxhlQbRrwMZvZLto2kgZFzoyBz/PMmUBRjr0Y0gL5CoXEkT2Aj2ytBCGQ
2E34AEljFBTJ42fCHwSpyBA/8qNUl3mzwUoHR1ZyfFeOiYuwIQnBYZYILmtogXU=
=e7oC
-----END PGP SIGNATURE-----
Axon
May 6, 2015, 6:00:52 AM5/6/15
to Marek Marczykowski-Górecki, Zrubi, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Marek Marczykowski-Górecki wrote:
> On Tue, May 05, 2015 at 10:31:18AM +0200, Zrubi wrote:
>> On 05/04/15 18:47, Marek Marczykowski-Górecki wrote:
>
>>> Unfortunately submodules can't be pointed at branch (or other
>>> mutable ref), only on commit ID.
>
>> Oh, I see.
>
>>> We might introduce a script which will watch for changes in
>>> submodules, fetch them, verify git tag there and if correct -
>>> automatically update main repository.
>
>
>> Still wonder
>
>> - if I commit to a submodule and want to make it live I have to
>> verify if other commits before I change the submodule commit ID?
>
> You verify git tag just after downloading new commits (before you
> commit anything), right? ;)
>
>> - how should I update the submodules?
>
> Currently the workflow is: git clone/pull qubesos.github.io... git
> tag -v "`git describe`" git submodule update cd _doc (make your
> changes) git commit ... git tag -s ... git push --tags cd .. git
> commit -am 'doc update' git tag -s ... git push --tags
>
Is this the procedure I should follow if I want to add/edit user
documentation?
> I will write a script to monitor submodules changes and
> automatically update main repo - it will really simplify above
> procedure.
>
>
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJVSeZFAAoJEJh4Btx1RPV8PZMP/AtSEJ7s6/YtIWC2jCoWswW3
2fmwNVFIIT5v7JtmuRo6oEPWj4s2Yk4SUJRzhLTqD3kJTt2S9sdrJQxtTaCfHghE
J5aRGBH69YpAY1WfVrU8wbgw1rBU3oGMfjcVaZ3SRJaqypmRxRpkMiYLZFIjkuno
KvYgROjZzOhgMS5L9UvkyTO5QEGoi+ZrmjHIkw6kt31ngA6C7EKQ7YN6lkxlr2Uj
b4unYLHtVFNKejLqWlj6tQUkx0XGPKepSfNltBqGGC9ItlwkxXb9R1PJQrfJu9j9
BIX7HiJBziTiVi8n3w4lkPn42eN+5WM0AeXKT4UYGRQDC8BTjdYdjbl+ReHq/nh/
5laG7BC8SneQIHNMyo4kLFVmE9VV3mxKw7oOMvzW2QnO0yq0tApfjvSVY1pVyJh6
6TncOTvfLEJ0if5j3V8eooyemb8gPCvXQ/dHIU8rQT4DB3yQPt3LflGLYWi1ocJO
5VAQQzRe2aJhKb6WJag5Ie116rEJrYg0X6PP6G5U17mjCr03XJKeXqFMLl5tOLae
45AxYWvC/sSto+em2SKSX6NzLLTYolyYLxF18B/BwOAjs3/0e+LaCL0N+9pcipAf
8iu7tcMoECr2kv3KSjWIdV2p7CYB9ko0VGWDW6lrn6Wu+uconV3NWVrNOaioYmBW
dF4iyMT5I+wWtIIXDGS8
=dpgn
-----END PGP SIGNATURE-----
Hash: SHA512
Marek Marczykowski-Górecki wrote:
> On Tue, May 05, 2015 at 10:31:18AM +0200, Zrubi wrote:
>> On 05/04/15 18:47, Marek Marczykowski-Górecki wrote:
>
>>> Unfortunately submodules can't be pointed at branch (or other
>>> mutable ref), only on commit ID.
>
>> Oh, I see.
>
>>> We might introduce a script which will watch for changes in
>>> submodules, fetch them, verify git tag there and if correct -
>>> automatically update main repository.
>
>
>> Still wonder
>
>> - if I commit to a submodule and want to make it live I have to
>> verify if other commits before I change the submodule commit ID?
>
> You verify git tag just after downloading new commits (before you
> commit anything), right? ;)
>
>> - how should I update the submodules?
>
> Currently the workflow is: git clone/pull qubesos.github.io... git
> tag -v "`git describe`" git submodule update cd _doc (make your
> changes) git commit ... git tag -s ... git push --tags cd .. git
> commit -am 'doc update' git tag -s ... git push --tags
>
documentation?
> I will write a script to monitor submodules changes and
> automatically update main repo - it will really simplify above
> procedure.
>
>
iQIcBAEBCgAGBQJVSeZFAAoJEJh4Btx1RPV8PZMP/AtSEJ7s6/YtIWC2jCoWswW3
2fmwNVFIIT5v7JtmuRo6oEPWj4s2Yk4SUJRzhLTqD3kJTt2S9sdrJQxtTaCfHghE
J5aRGBH69YpAY1WfVrU8wbgw1rBU3oGMfjcVaZ3SRJaqypmRxRpkMiYLZFIjkuno
KvYgROjZzOhgMS5L9UvkyTO5QEGoi+ZrmjHIkw6kt31ngA6C7EKQ7YN6lkxlr2Uj
b4unYLHtVFNKejLqWlj6tQUkx0XGPKepSfNltBqGGC9ItlwkxXb9R1PJQrfJu9j9
BIX7HiJBziTiVi8n3w4lkPn42eN+5WM0AeXKT4UYGRQDC8BTjdYdjbl+ReHq/nh/
5laG7BC8SneQIHNMyo4kLFVmE9VV3mxKw7oOMvzW2QnO0yq0tApfjvSVY1pVyJh6
6TncOTvfLEJ0if5j3V8eooyemb8gPCvXQ/dHIU8rQT4DB3yQPt3LflGLYWi1ocJO
5VAQQzRe2aJhKb6WJag5Ie116rEJrYg0X6PP6G5U17mjCr03XJKeXqFMLl5tOLae
45AxYWvC/sSto+em2SKSX6NzLLTYolyYLxF18B/BwOAjs3/0e+LaCL0N+9pcipAf
8iu7tcMoECr2kv3KSjWIdV2p7CYB9ko0VGWDW6lrn6Wu+uconV3NWVrNOaioYmBW
dF4iyMT5I+wWtIIXDGS8
=dpgn
-----END PGP SIGNATURE-----
Marek Marczykowski-Górecki
May 8, 2015, 8:09:03 AM5/8/15
to Axon, Zrubi, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Wed, May 06, 2015 at 10:00:39AM +0000, Axon wrote:
> Marek Marczykowski-Górecki wrote:
> > On Tue, May 05, 2015 at 10:31:18AM +0200, Zrubi wrote:
> >> On 05/04/15 18:47, Marek Marczykowski-Górecki wrote:
> >
> >>> Unfortunately submodules can't be pointed at branch (or other
> >>> mutable ref), only on commit ID.
> >
> >> Oh, I see.
> >
> >>> We might introduce a script which will watch for changes in
> >>> submodules, fetch them, verify git tag there and if correct -
> >>> automatically update main repository.
> >
> >
> >> Still wonder
> >
> >> - if I commit to a submodule and want to make it live I have to
> >> verify if other commits before I change the submodule commit ID?
> >
> > You verify git tag just after downloading new commits (before you
> > commit anything), right? ;)
> >
> >> - how should I update the submodules?
> >
> > Currently the workflow is: git clone/pull qubesos.github.io... git
> > tag -v "`git describe`" git submodule update cd _doc (make your
> > changes) git commit ... git tag -s ... git push --tags cd .. git
> > commit -am 'doc update' git tag -s ... git push --tags
> >
>
> Is this the procedure I should follow if I want to add/edit user
> documentation?
I've just written script to automatically update submodules (its located
in qubesos.github.io/_utils). It fetches all the changes in submodules,
verify git tag there and if correct, commit the update to main
repository (to point at new submodule location). I'll hook it somehow to
github, or simply run periodically, so all you need to do now is just
commit the change to qubes-doc and push, *together with signed tag*.
Zrubi: it handles all the submodules, including _hcl.
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBAgAGBQJVTKdWAAoJENuP0xzK19cscy0H/1Y/2GQzaqr445T8iEezK0nA
z/xWK4H4zBl8VcuM2EwvmK1NcC5SCye/8+Oo/SVGhkRJAw3OFe7i7onAkURC3vh9
OReVf8VIwfes2gk1rwKNUxuvM0NeVBVOnDgsGrJQCZq35H1xEhP7jESUxJbonT9b
zgOdMt6nUeK4qruwxz2pHr6n9rj8quTomjJD1JsmELa4o7dxZpTyQXtlhYbocUwq
SNvGKGSQZWq3I95z+zse2bezfIltBOE5Bl19H44Le5S9HP0l7UndzU9F5RQ0WSfF
5skFAKBsIXoWS3YM2YMjKPFSB38wvrRG380RHKIVMWR7/E0VrFDpCw2GQ/Z5SBg=
=96Ru
-----END PGP SIGNATURE-----
Hash: SHA1
On Wed, May 06, 2015 at 10:00:39AM +0000, Axon wrote:
> Marek Marczykowski-Górecki wrote:
> > On Tue, May 05, 2015 at 10:31:18AM +0200, Zrubi wrote:
> >> On 05/04/15 18:47, Marek Marczykowski-Górecki wrote:
> >
> >>> Unfortunately submodules can't be pointed at branch (or other
> >>> mutable ref), only on commit ID.
> >
> >> Oh, I see.
> >
> >>> We might introduce a script which will watch for changes in
> >>> submodules, fetch them, verify git tag there and if correct -
> >>> automatically update main repository.
> >
> >
> >> Still wonder
> >
> >> - if I commit to a submodule and want to make it live I have to
> >> verify if other commits before I change the submodule commit ID?
> >
> > You verify git tag just after downloading new commits (before you
> > commit anything), right? ;)
> >
> >> - how should I update the submodules?
> >
> > Currently the workflow is: git clone/pull qubesos.github.io... git
> > tag -v "`git describe`" git submodule update cd _doc (make your
> > changes) git commit ... git tag -s ... git push --tags cd .. git
> > commit -am 'doc update' git tag -s ... git push --tags
> >
>
> Is this the procedure I should follow if I want to add/edit user
> documentation?
in qubesos.github.io/_utils). It fetches all the changes in submodules,
verify git tag there and if correct, commit the update to main
repository (to point at new submodule location). I'll hook it somehow to
github, or simply run periodically, so all you need to do now is just
commit the change to qubes-doc and push, *together with signed tag*.
Zrubi: it handles all the submodules, including _hcl.
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
z/xWK4H4zBl8VcuM2EwvmK1NcC5SCye/8+Oo/SVGhkRJAw3OFe7i7onAkURC3vh9
OReVf8VIwfes2gk1rwKNUxuvM0NeVBVOnDgsGrJQCZq35H1xEhP7jESUxJbonT9b
zgOdMt6nUeK4qruwxz2pHr6n9rj8quTomjJD1JsmELa4o7dxZpTyQXtlhYbocUwq
SNvGKGSQZWq3I95z+zse2bezfIltBOE5Bl19H44Le5S9HP0l7UndzU9F5RQ0WSfF
5skFAKBsIXoWS3YM2YMjKPFSB38wvrRG380RHKIVMWR7/E0VrFDpCw2GQ/Z5SBg=
=96Ru
-----END PGP SIGNATURE-----
Axon
May 26, 2015, 1:00:32 AM5/26/15
to Marek Marczykowski-Górecki, Zrubi, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Marek,
I'm not seeing any git tags:
[user@... qubesos.github.io]$ git pull origin master
- From github.com:QubesOS/qubesos.github.io
* branch master -> FETCH_HEAD
Already up-to-date.
[user@... qubesos.github.io]$ git tag
[user@... qubesos.github.io]$ git tag -v "`git describe`"
fatal: No names found, cannot describe anything.
error: tag '' not found.
What am I doing wrong?
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJVY/20AAoJEJh4Btx1RPV8A7oQAI3069biomfmANOfYJEm5KH+
riiG+SucYSUdyrzPJRl0GTUc919ZnWxj5dkWayDh2wLPmN7q2kdQ+0bp8Na4Fb5M
kfYZN13CF+mnw5jz37qSNu84Qnn2DEI40BIxAytf+19Xfv5RM1amGK3pfuA8ib0V
7u6JjFV5907ims9LL4VLPWFXhhYclSJ78M36VeD7cIudhZgy0VWbsXPv+HwDAzSQ
u3Ys4wE8eaDpGS5i422IIKD7D4gmMxalfOIlB7k6hKEoXVi2GJw6gZx504z1LA+1
wjAxge026uhtz1aXlbMqeP9/No9hQtP/qrDo+gbaI6DsvVD/QDv1h6dWDaz0L2eO
7lHLg6C80RqZNidVQ5InoclUpO5ZyJGO/soE9dn9YUxQ9Tdj0NEfdeo/XLV295Ap
59n3dqZN2/OU+8heE4vSwc2eqpEpe5QnAc/jGQmddM3A4xClPV1hmUVXHr6l86I7
S8SHrXr3xERk9bv/H/NJYyI1pz2BxKqKuhUkHKpL+1sQ2Axh5D3iA926mfGabStK
HJNgh1/xenlgN1Kdv1UzbK41no1qNscPJjb8X6xql/iLmG9a0kYlzIfOukF3XfPA
2J6CqUxBIUgLb1TPI20gdz5ePiQ3CbsJyzaJKJ6AT4ds/H/t3/iYAUKEkUWauDH8
V2qCiwP1tzk7FGMcHGEr
=Bf4I
-----END PGP SIGNATURE-----
Hash: SHA512
I'm not seeing any git tags:
[user@... qubesos.github.io]$ git pull origin master
- From github.com:QubesOS/qubesos.github.io
* branch master -> FETCH_HEAD
Already up-to-date.
[user@... qubesos.github.io]$ git tag
[user@... qubesos.github.io]$ git tag -v "`git describe`"
fatal: No names found, cannot describe anything.
error: tag '' not found.
What am I doing wrong?
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJVY/20AAoJEJh4Btx1RPV8A7oQAI3069biomfmANOfYJEm5KH+
riiG+SucYSUdyrzPJRl0GTUc919ZnWxj5dkWayDh2wLPmN7q2kdQ+0bp8Na4Fb5M
kfYZN13CF+mnw5jz37qSNu84Qnn2DEI40BIxAytf+19Xfv5RM1amGK3pfuA8ib0V
7u6JjFV5907ims9LL4VLPWFXhhYclSJ78M36VeD7cIudhZgy0VWbsXPv+HwDAzSQ
u3Ys4wE8eaDpGS5i422IIKD7D4gmMxalfOIlB7k6hKEoXVi2GJw6gZx504z1LA+1
wjAxge026uhtz1aXlbMqeP9/No9hQtP/qrDo+gbaI6DsvVD/QDv1h6dWDaz0L2eO
7lHLg6C80RqZNidVQ5InoclUpO5ZyJGO/soE9dn9YUxQ9Tdj0NEfdeo/XLV295Ap
59n3dqZN2/OU+8heE4vSwc2eqpEpe5QnAc/jGQmddM3A4xClPV1hmUVXHr6l86I7
S8SHrXr3xERk9bv/H/NJYyI1pz2BxKqKuhUkHKpL+1sQ2Axh5D3iA926mfGabStK
HJNgh1/xenlgN1Kdv1UzbK41no1qNscPJjb8X6xql/iLmG9a0kYlzIfOukF3XfPA
2J6CqUxBIUgLb1TPI20gdz5ePiQ3CbsJyzaJKJ6AT4ds/H/t3/iYAUKEkUWauDH8
V2qCiwP1tzk7FGMcHGEr
=Bf4I
-----END PGP SIGNATURE-----
Axon
May 26, 2015, 1:14:32 AM5/26/15
to Marek Marczykowski-Górecki, Zrubi, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hash: SHA512
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJVZAEiAAoJEJh4Btx1RPV8oL8QANzBEHWj1pu4N/EWAnp2U7cn
Kip7q81XsKnDVhSILpIo0PyRimQjPaNcBzOtIDqlkAybwxW9tjB2ObrXoGCSMAsp
j75yaBnFIoisUtzrRDnB7rTaHv/lM2Ju0fIrbkOZgVoP1hU1fvuqovb2MjyKMKfP
2gFf3OQq6r1RREjgGo/hSrlg/rexw4RMWjeya0G/5pzMcy6GcN//nsyT0ld+pye7
YYkNNDerLhzw+YqIp6fXJqdMj1p5eCAjOEfzKKs56lk1ifUrOrpsrpFyJ1PXSO9o
oHJfcy4u00TBoHeHUKZ/TAj5wr9xp+rrEUd+x30LcJvL9a0LnCQONsr/e+zzNg2A
OzEQ+6W3JxZX5aRDeBnfiSXx5KuaYjpmnK3qVxCi2cmIryOaeIgUCKt+Ntvf0Fx1
iYteCIUn6LwiO8z9hro8YI2LflMv4uEvGX03bX+dWYQIVZ2O5WnqFmdtt8jNuRHM
dTDKfEnKyyrPx1aE+6wf3V9Lzt4FUbBNqy+wcmOU9w+sy0E1dMUMlpIR9rDuOzNV
7PjTHYZ8cTb5S4J1vg6rSdb+iNb5cSwhfZ1RP2cmgny5/R0wj0GVZUBKHsgEkUFg
DaxpKiMpZBbqUAyTO0i4rF8nF/SBqi8qzMCAAWKwDJ2ENeDYZiyZpJZ5BW9eX03F
2w/ey6dfag60iXtbwfr9
=SxNE
-----END PGP SIGNATURE-----
Marek Marczykowski-Górecki
May 26, 2015, 1:18:36 AM5/26/15
to Axon, Zrubi, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Anyway, as I've written - qubesos.github.io is now automatically updated
when any submodule is updated (and valid signed tag is pushed together).
So, do don't need to worry about updating it manually - just push
submodule change. Of course you still need to download main
qubesos.github.io to run local copy of the page.
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBAgAGBQJVZAIiAAoJENuP0xzK19csylwH/30tknaZ3JqcxOUxIP/aIes7
cI9jQM7BWRqd6eVzlWEAzgVmre2kedFlx5Tg7mnUaEXXIep9QxiljcvMlBxPEaGu
Nf/TO+Ijoe2tfkUUGGk2diD9IhZUbKnDt+a7Sh5besU3AFF1CQKzgtXbhWaaS4ir
WNQ4RNPO3pXF0xGcuFDRepN5cZJHqv+vAWxRVR+jvIBhsHX6BmYWwXSrt9HPigOP
SLwncvQWJ7HSAvqJ4P20GghweOa9T+s81x8E4/qo4QD4/8Y1y3QE5aCF+fSZSNaS
JvZQVS2kLqHOowDheni0L6gTr6MsJVrmdpFOKwrkQCquOOs0+lXfTPlnUGCAUrs=
=scKK
-----END PGP SIGNATURE-----
Hash: SHA1
> From github.com:QubesOS/qubesos.github.io
> * branch master -> FETCH_HEAD
> Already up-to-date.
> [user@... qubesos.github.io]$ git tag
> [user@... qubesos.github.io]$ git tag -v "`git describe`"
> fatal: No names found, cannot describe anything.
> error: tag '' not found.
>
> What am I doing wrong?
Try git pull --tags.
> * branch master -> FETCH_HEAD
> Already up-to-date.
> [user@... qubesos.github.io]$ git tag
> [user@... qubesos.github.io]$ git tag -v "`git describe`"
> fatal: No names found, cannot describe anything.
> error: tag '' not found.
>
> What am I doing wrong?
Anyway, as I've written - qubesos.github.io is now automatically updated
when any submodule is updated (and valid signed tag is pushed together).
So, do don't need to worry about updating it manually - just push
submodule change. Of course you still need to download main
qubesos.github.io to run local copy of the page.
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
cI9jQM7BWRqd6eVzlWEAzgVmre2kedFlx5Tg7mnUaEXXIep9QxiljcvMlBxPEaGu
Nf/TO+Ijoe2tfkUUGGk2diD9IhZUbKnDt+a7Sh5besU3AFF1CQKzgtXbhWaaS4ir
WNQ4RNPO3pXF0xGcuFDRepN5cZJHqv+vAWxRVR+jvIBhsHX6BmYWwXSrt9HPigOP
SLwncvQWJ7HSAvqJ4P20GghweOa9T+s81x8E4/qo4QD4/8Y1y3QE5aCF+fSZSNaS
JvZQVS2kLqHOowDheni0L6gTr6MsJVrmdpFOKwrkQCquOOs0+lXfTPlnUGCAUrs=
=scKK
-----END PGP SIGNATURE-----
Axon
May 26, 2015, 2:04:46 AM5/26/15
to Marek Marczykowski-Górecki, Zrubi, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
That works. Thank you.
> Anyway, as I've written - qubesos.github.io is now automatically
> updated when any submodule is updated (and valid signed tag is
> pushed together). So, do don't need to worry about updating it
> manually - just push submodule change. Of course you still need to
> download main qubesos.github.io to run local copy of the page.
>
>
Yes, but I still want to verify the PGP signatures on my local machine
to rule out MitM attacks, evil GitHub admins, etc.
Speaking of which, why not have everyone sign their *commits* in
addition to signing tags? Some reasons to do so:
http://mikegerwitz.com/papers/git-horror-story
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJVZAzjAAoJEJh4Btx1RPV8OywQAOBL/fPGRU8rJJRUPs5yE1A1
s2l0IdHtiTeP5RalvrJbyrEqIPmMAtboOWbDe1Q10GV7OpoG/E0Hh0gHY2DrLDxh
6JW1B5jF6T4PRE7cHGW7DLQdC9V6QwxlDDzsPwA5iTR7LwENV8kFwA2XK6+r+B4Q
hz3JyqWneQFRQIssAqpQQfoRkzy5+UN8Syb9aaRfvA1j+kDqYB/LYZRWcIj5STDC
h6gRi3nLEBPjQ+ZzGs/UDSiANNV8yzoZllYdz1ozrC1cMtZWxUlLiTLCgw73HY3Y
5tGjgUl4xEhHq+PXXJBz38Oe4pSYw74xVrqVhFwjn5LBdRM2ZJdCOKyzDUSrtBXu
GtgA0kw248JrQC6EfJkWrBvMXD2w3BcpLMvBDF2icIHjIn/MTEf1sNq4kHa9sJi8
Mc/49QvjFWbUSqCU6KAy3K0hsJL/EIq5lCH8I3l3/b8JQs98tZdp9xk+0t4XVkYX
z9nF/bBIdwZ2g/CMjz+HP4zoq1gNf0CWQdCUoyter9OojKpHHCD5Qp+impYs3SJA
/X35S9oq+AeDJMB4SBUl0rQz0SPKZjeVBkvV+d+3KJMmiszYWxTNRgJztGTEl7vA
JWs/KWXCCmaE98plwqwqbtrH39JWjhcZ/IlJJZtp/Z5xLjS/yozzxJRgzihAJQpd
gxabLVj6bIGvJYUKiXPW
=60Li
-----END PGP SIGNATURE-----
Hash: SHA512
> Anyway, as I've written - qubesos.github.io is now automatically
> updated when any submodule is updated (and valid signed tag is
> pushed together). So, do don't need to worry about updating it
> manually - just push submodule change. Of course you still need to
> download main qubesos.github.io to run local copy of the page.
>
>
to rule out MitM attacks, evil GitHub admins, etc.
Speaking of which, why not have everyone sign their *commits* in
addition to signing tags? Some reasons to do so:
http://mikegerwitz.com/papers/git-horror-story
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJVZAzjAAoJEJh4Btx1RPV8OywQAOBL/fPGRU8rJJRUPs5yE1A1
s2l0IdHtiTeP5RalvrJbyrEqIPmMAtboOWbDe1Q10GV7OpoG/E0Hh0gHY2DrLDxh
6JW1B5jF6T4PRE7cHGW7DLQdC9V6QwxlDDzsPwA5iTR7LwENV8kFwA2XK6+r+B4Q
hz3JyqWneQFRQIssAqpQQfoRkzy5+UN8Syb9aaRfvA1j+kDqYB/LYZRWcIj5STDC
h6gRi3nLEBPjQ+ZzGs/UDSiANNV8yzoZllYdz1ozrC1cMtZWxUlLiTLCgw73HY3Y
5tGjgUl4xEhHq+PXXJBz38Oe4pSYw74xVrqVhFwjn5LBdRM2ZJdCOKyzDUSrtBXu
GtgA0kw248JrQC6EfJkWrBvMXD2w3BcpLMvBDF2icIHjIn/MTEf1sNq4kHa9sJi8
Mc/49QvjFWbUSqCU6KAy3K0hsJL/EIq5lCH8I3l3/b8JQs98tZdp9xk+0t4XVkYX
z9nF/bBIdwZ2g/CMjz+HP4zoq1gNf0CWQdCUoyter9OojKpHHCD5Qp+impYs3SJA
/X35S9oq+AeDJMB4SBUl0rQz0SPKZjeVBkvV+d+3KJMmiszYWxTNRgJztGTEl7vA
JWs/KWXCCmaE98plwqwqbtrH39JWjhcZ/IlJJZtp/Z5xLjS/yozzxJRgzihAJQpd
gxabLVj6bIGvJYUKiXPW
=60Li
-----END PGP SIGNATURE-----
Marek Marczykowski-Górecki
May 26, 2015, 4:25:42 PM5/26/15
to Axon, Zrubi, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Yes, of course.
> Speaking of which, why not have everyone sign their *commits* in
> addition to signing tags? Some reasons to do so:
>
> http://mikegerwitz.com/papers/git-horror-story
Actually we use tags to sign everything we push somewhere, not only
major releases, so above problem does not apply.
Generally I don't see anything against signing every commit (of course),
but this does not solve all the problems. Especially because
verification is not trivial. For example if we accept some contribution
this means we have some commits not signed with our keys. Of course we
don't want to add every contributors key automatically to trusted key
set. But still need to mark the commits as accepted.
Important question: does commit signature protects everything included
in the commit, including parent id? If so, perhaps verifying signature
of just top commit would be enough. Then we need to ensure that
contributions are included using merge commit, never fast-forward. Which
is actually good idea anyway.
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBAgAGBQJVZNa9AAoJENuP0xzK19csGrYH/AoKRBkPj7cuF2Rk+xSsH0gc
CTrCm1qD857X2xqU7oXoo3kICj/giKZERAK67a+1Mb+yj2sjGIMSafkPh0mHq0Ez
UX7WBN9E9MNhG6uC3DYZsBD+5y9gdruDqaa0AKZojEZkZm7O5BIxwfZN2g4qoqRV
K6TBs4oImJ4umD3xv1UhJa1p/x66LzYvUOkkWa2It9ciZRVcqb7QEJ2EFq/+yQlY
tdySLPdcMWqOh8lc/IE4FLHDc6ghVZeZe4rdh2meXcuuqbmLMAVcL1utpa5ChDX1
PxKFnvtfT1BfzSq/AdblOImfI9WoSPxjc2LoQFYp6h5AZB7JSt9DoW9bfpMgzkY=
=kiK3
-----END PGP SIGNATURE-----
Hash: SHA1
> Speaking of which, why not have everyone sign their *commits* in
> addition to signing tags? Some reasons to do so:
>
> http://mikegerwitz.com/papers/git-horror-story
major releases, so above problem does not apply.
Generally I don't see anything against signing every commit (of course),
but this does not solve all the problems. Especially because
verification is not trivial. For example if we accept some contribution
this means we have some commits not signed with our keys. Of course we
don't want to add every contributors key automatically to trusted key
set. But still need to mark the commits as accepted.
Important question: does commit signature protects everything included
in the commit, including parent id? If so, perhaps verifying signature
of just top commit would be enough. Then we need to ensure that
contributions are included using merge commit, never fast-forward. Which
is actually good idea anyway.
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
CTrCm1qD857X2xqU7oXoo3kICj/giKZERAK67a+1Mb+yj2sjGIMSafkPh0mHq0Ez
UX7WBN9E9MNhG6uC3DYZsBD+5y9gdruDqaa0AKZojEZkZm7O5BIxwfZN2g4qoqRV
K6TBs4oImJ4umD3xv1UhJa1p/x66LzYvUOkkWa2It9ciZRVcqb7QEJ2EFq/+yQlY
tdySLPdcMWqOh8lc/IE4FLHDc6ghVZeZe4rdh2meXcuuqbmLMAVcL1utpa5ChDX1
PxKFnvtfT1BfzSq/AdblOImfI9WoSPxjc2LoQFYp6h5AZB7JSt9DoW9bfpMgzkY=
=kiK3
-----END PGP SIGNATURE-----
Hakisho Nukama
May 26, 2015, 4:55:51 PM5/26/15
to qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Marek Marczykowski-Górecki:
Great. Thanks for this script.
>>>
>>>> Marek,
>>>
>>>> I'm not seeing any git tags:
>>>
>>>> [user@... qubesos.github.io]$ git pull origin master From
>>>> github.com:QubesOS/qubesos.github.io * branch
>>>> master -> FETCH_HEAD Already up-to-date. [user@...
>>>> qubesos.github.io]$ git tag [user@... qubesos.github.io]$ git
>>>> tag -v "`git describe`" fatal: No names found, cannot
>>>> describe anything. error: tag '' not found.
>>>
>>>> What am I doing wrong?
>>>
>>> Try git pull --tags.
>>>
>
>> That works. Thank you.
>
A fast way to create these signed tags is specifying an alias in
~/.gitconfig (hint from Marek). But don't forget to check the `git
diff` from latest known 'good' state before creating it. ;)
[alias]
stag = "!id=`git show --pretty=format:%H|head -1`; git tag -s
- -m \"Tag for commit $id\" nukama_${id:0:8}"
If we script this, we might only checkout the latest commit, where the
chain of trusted contributors commits (based on a trusted stag) is not
broken by an unsigned commit.
I'm signing commits created on my doc-VM only and create a signed tag
when it is ready for production.
I might also edit some files over github when I'm away from my
fortress, but have to create a stag afterwards when I'm back or wait
for some other trusted contributor to check my commits and stag them.
Maybe we can create a key for signing tags (trusted contributors,
separate audit-VM) and one for signing commits (trusted and other
contributors, doc-VM). Overkill!?
Here is my .gitconfig, any objections or suggestions?
[user]
email = nuk...@gmail.com
name = Hakisho Nukama
signingkey = 3FCF9A1111350DE9FA9C3DD06E7A27B909DAFB92
[alias]
lg = log --graph --show-signature
stag = "!id=`git show --pretty=format:%H|head -1`; git tag -s
- -m \"Tag for commit $id\" nukama_${id:0:8}"
[core]
autosetuprebase = always
[commit]
gpgsign = true
[gpg]
program = gpg2
- --
Best Regards,
Hakisho Nukama
ESmvfo8bxfaTNGUWMEU/fbi45AejeQDlJScfPc6zBSAUaCoT6kFbqCu/oNX7Pfr3
jxTX1CSrms3oq/u9NwpV+kONqTAE/asYbBfGo0lanCJJxk2tUCQU2p9OyJjBcSrq
XiMFMmY7ldtuUKtLAqV8QnNPb+zPM0jvKSZh9lpZpTHvWAmB9Lxq9CIU9WcrA+M5
JyHFo4RNld3K+Si/us/638Gk1ZvEWrXE6AYBw/xREnFy63MVf4vvIastgX+I3q0C
QZMfELXM2JNK3mG9J4a9zJE88NonPCfNDWinvZjVT4uFDP+JRoCZ8csaBvzNfFSh
Gc9CrIvC8hUTHGePL/W30RyjHjVNc0lNn5VK3OE0IrfmmyPiTLt7PV14NWmTRBqL
QCeeY2MXbrb7WWcUKAGPhpCwNUILZjjlpjwaP9r3xilhjJF7gB7pVTwglxmAsGc0
0e1H8QaE9ed39K/X1JwRjR6qWN61NdwAP3Ax2a0w1w8E3M1TrtL7Ey3i5zQiBAjn
acvsZqlolGIgWPJ5GyvTUKuYaSFPIoho+z2dWIm32K7UTeBL++8yFftWKNS4WxwT
VjfNncM2RWJ85UU/wpBI74f4MO9aYUDsllo3979KWISX5HzVQCbZ75mSo9cLpsO1
y+hdMhE00xV898zvwK1o
=W6In
-----END PGP SIGNATURE-----
Hash: SHA512
Marek Marczykowski-Górecki:
>>>
>>>> Marek,
>>>
>>>> I'm not seeing any git tags:
>>>
>>>> [user@... qubesos.github.io]$ git pull origin master From
>>>> github.com:QubesOS/qubesos.github.io * branch
>>>> master -> FETCH_HEAD Already up-to-date. [user@...
>>>> qubesos.github.io]$ git tag [user@... qubesos.github.io]$ git
>>>> tag -v "`git describe`" fatal: No names found, cannot
>>>> describe anything. error: tag '' not found.
>>>
>>>> What am I doing wrong?
>>>
>>> Try git pull --tags.
>>>
>
>> That works. Thank you.
>
~/.gitconfig (hint from Marek). But don't forget to check the `git
diff` from latest known 'good' state before creating it. ;)
[alias]
stag = "!id=`git show --pretty=format:%H|head -1`; git tag -s
- -m \"Tag for commit $id\" nukama_${id:0:8}"
chain of trusted contributors commits (based on a trusted stag) is not
broken by an unsigned commit.
I'm signing commits created on my doc-VM only and create a signed tag
when it is ready for production.
I might also edit some files over github when I'm away from my
fortress, but have to create a stag afterwards when I'm back or wait
for some other trusted contributor to check my commits and stag them.
Maybe we can create a key for signing tags (trusted contributors,
separate audit-VM) and one for signing commits (trusted and other
contributors, doc-VM). Overkill!?
Here is my .gitconfig, any objections or suggestions?
[user]
email = nuk...@gmail.com
name = Hakisho Nukama
signingkey = 3FCF9A1111350DE9FA9C3DD06E7A27B909DAFB92
[alias]
lg = log --graph --show-signature
stag = "!id=`git show --pretty=format:%H|head -1`; git tag -s
- -m \"Tag for commit $id\" nukama_${id:0:8}"
[core]
autosetuprebase = always
[commit]
gpgsign = true
[gpg]
program = gpg2
- --
Best Regards,
Hakisho Nukama
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJVZN3BAAoJEDAdK/0oyrkqOuwQAKwwg6XEzgpYsIER49yChVFW
Version: GnuPG v1
ESmvfo8bxfaTNGUWMEU/fbi45AejeQDlJScfPc6zBSAUaCoT6kFbqCu/oNX7Pfr3
jxTX1CSrms3oq/u9NwpV+kONqTAE/asYbBfGo0lanCJJxk2tUCQU2p9OyJjBcSrq
XiMFMmY7ldtuUKtLAqV8QnNPb+zPM0jvKSZh9lpZpTHvWAmB9Lxq9CIU9WcrA+M5
JyHFo4RNld3K+Si/us/638Gk1ZvEWrXE6AYBw/xREnFy63MVf4vvIastgX+I3q0C
QZMfELXM2JNK3mG9J4a9zJE88NonPCfNDWinvZjVT4uFDP+JRoCZ8csaBvzNfFSh
Gc9CrIvC8hUTHGePL/W30RyjHjVNc0lNn5VK3OE0IrfmmyPiTLt7PV14NWmTRBqL
QCeeY2MXbrb7WWcUKAGPhpCwNUILZjjlpjwaP9r3xilhjJF7gB7pVTwglxmAsGc0
0e1H8QaE9ed39K/X1JwRjR6qWN61NdwAP3Ax2a0w1w8E3M1TrtL7Ey3i5zQiBAjn
acvsZqlolGIgWPJ5GyvTUKuYaSFPIoho+z2dWIm32K7UTeBL++8yFftWKNS4WxwT
VjfNncM2RWJ85UU/wpBI74f4MO9aYUDsllo3979KWISX5HzVQCbZ75mSo9cLpsO1
y+hdMhE00xV898zvwK1o
=W6In
-----END PGP SIGNATURE-----
Reply all
Reply to author
Forward
0 new messages