On 26/10/17 22:11, Brian Stinson wrote: > On Oct 24 18:08, Matthias Runge wrote: >> On Tue, Oct 24, 2017 at 03:46:28PM +0100, George Dunlap wrote: >>> On Tue, Oct 24, 2017 at 9:59 AM, Fabian Arrotin <arrfab at centos.org> wrote: >>>> <paste> >>>> sigs would like to use centpkg / lookaside, build direct through git to koji >>>> authentication requirements to accounts.centos.org >>>> Fabian to evaluate git solutions and report back to sig chairs. >>>> mrunge has volunteered to be the "guinea pig" of the new system >>>> </paste> >>>> >>>> Waiting for comments/input/feedback on those points >> >> Thank you for kicking this off! >> >> Storing specs + upstream sources somewhere would solve my primary >> concern with creating some more reproducible builds. Even in a >> small team, it seems scary to upload "somehow" created srpms to get >> them built in cbs. >> >>> >>> From our discussion, I remember that with the "lookaside cache", it >>> should be possible for a "drive-by" contributor to submit a change >>> which included a new tarball, by submitting a pull request that had >>> the proper hash; I could then download the tarball from the upstream >>> website myself, verify the hash, and upload it to the lookaside cache >>> when merging the PR. >> >> Yes, I remember we discussed it briefly, on how to enable drive-by >> contributions or how to lower the barrier for contributors. >> >> I'd be fine with patches/pull-requests/whatever for spec files. I'd try >> to pull down sources myself anyways. >> >> Ideally, any solution would be supported by a central tool, comparable to >> fedpkg for fedora. I know there is centpkg, but I'm currently unsure how >> git and source upload is handled there. > > Centpkg currently only deals with source RPMs. This is blocked on some > sort of git solution with proper credentialing such that the SIG members > can do basic operations. If such a thing came up, centpkg could easily > become a thing again, and could be the right "central tool" for the job. > I haven't tested LFS myself, but as Gitea (that I deployed as a PoC, so that Matthias could play with it) supports that, I was wondering if that couldn't be a simple solution to store blobs/tarballs, without a need to write a kind of "lookaside cache" solution that would have to do ACL verification. AFAICS, LFS through git does that automatically through git permissions The client side would need to be worked on though : git-lfs seems to exist in recent Fedora, but nothing in Epel7. https://bugzilla.redhat.com/show_bug.cgi?id=1504322 https://src.fedoraproject.org/rpms/git-lfs/blob/master/f/git-lfs.spec I haven't tried a rebuild, as from a quick look in the .spec, it would need quite some packages to be available , including higher git (or can we force SCLo for this ?) -- Fabian Arrotin The CentOS Project | http://www.centos.org gpg key: 56BEC54E | twitter: @arrfab -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos-devel/attachments/20171027/3fdeb156/attachment-0008.sig>