Re: Gnome Flatpak build system, descriptions and questions

From: Bastien Nocera <hadess hadess net>
To: Alexander Larsson <alexl redhat com>, Richard Hughes <hughsient gmail com>
Cc: "gnome-os-list gnome org" <gnome-os-list gnome org>, desktop-devel-list <desktop-devel-list gnome org>
Subject: Re: Gnome Flatpak build system, descriptions and questions
Date: Fri, 26 Aug 2016 13:39:52 +0200

On Fri, 2016-08-26 at 09:43 +0200, Alexander Larsson wrote:

On tor, 2016-08-25 at 17:29 +0100, Richard Hughes wrote:

On 25 August 2016 at 16:29, Alexander Larsson <alexl redhat com>
wrote:


However, it would
make more sense for each individual application developers to
maintain
the manifest in the applications git repo.

I think this is a very good idea indeed; I was confused about the
"centralization" aspect of the builder files. Isn't this just some
globbing, if we all agree to put the manifest in the same place in
the
git tree?


Well, it was initially put in a separate git repo as we were just a
few
people trying to build a lot of apps, and that was the easiest way to
get started. However, now that things are a bit more stable moving it
to each individual repo makes sense.

There are some complexities though. There are two things we want to
build, the "latest unstable" and the "last stable release". The
obvious
solution is to store a json file with a predictable name in master
for
the unstable release, and in the latest stable branch for the stable
one.

However, how do we find which git repos have such json files, and how
do we know what is the current latest stable branch? Also, its
somewhat
weird to clone the entire git repo just to get a json file that then
itself may refer to the git repo.

Another issue is that we'd like the to have some control of what gets
built, at least for the stable builds. Right now we just pull the
gnome-apps-nightly repo and assumes it is correct (i.e nobody
commited
an attack to git or MITMed our connection to git.gnome.org), but from
there everything is verified by sha256 on all the various tarballs
that
are downloaded. Getting even this level of verification is trickier
when things are spread all across git.gnome.org. Ideally we should
have
some kind of gpg signatures for the stable commits so that we can
verify everything from that, but we don't really have that kind of
setup for gnome git.

Anyway, the best we can do now is i think having a git repo, say
gnome-
apps-nightly, that has two files in it, listing for each row:
* A git repo
* A branch name
* The filename of the json manifest in the repo
One of the files would be for unstable/nightly builds, and the other
for stable builds.


You can replace all 3 of those items with a URL pointing to the file in
an https cgit.

2 problems with requiring GPG signatures for stable releases though:
- gnupg's "UI" sucks utterly
- we really should have had people signing each other's keys at GUADEC
when face to face

Follow-Ups:
- Re: Gnome Flatpak build system, descriptions and questions
  - From: Alexander Larsson

References:
- Gnome Flatpak build system, descriptions and questions
  - From: Alexander Larsson
- Re: Gnome Flatpak build system, descriptions and questions
  - From: Richard Hughes
- Re: Gnome Flatpak build system, descriptions and questions
  - From: Alexander Larsson

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]