Bug#908678: Update on the security-tracker git discussion

To: 908678@bugs.debian.org
Cc: Guido Günther <agx@sigxcpu.org>, Bastian Blank <waldi@debian.org>, Martin Zobel-Helas <zobel@debian.org>
Subject: Bug#908678: Update on the security-tracker git discussion
From: Daniel Lange <DLange@debian.org>
Date: Thu, 24 Jan 2019 12:23:31 +0100
Message-id: <[🔎] 13e5b2a3-6ddd-347e-6c78-6901fb59d2b6@debian.org>
Reply-to: Daniel Lange <DLange@debian.org>, 908678@bugs.debian.org
References: <20180912131055.srfkzw5nefmcoqnh@shell.thinkmo.de>

Zobel brought up the security-tracker git discussion in the#debian-security irc channel again and I'd like to record a few of theitems touched there for others that were not present:

DLange has a running mirror of the git repo with split files since threemonths. This is based on anarcat's scripts published previously in thisbug. The rewriting mirror repo works flawlessly. All history is retainedsans gpg commit signatures.

Corsac noted that "redoing the tooling is a pain" and anarcat and DLangeiterated we are willing to help fix the tools. But we need a commitmentfrom the security-team that the migration to a split file repo iswanted. And we need a prioritized list of tools that need to besplit-files enabled.

The discussion iterated that "moving elsewhere" doesn't really fix theunderlying git-usage issue. So while this would take load off salsa, itwill not improve clone times and hamper collaboration with Debian peopleoutside the security team.

Still - to gain some data - DLange tried to push the security-trackerrepo to github. This bails out as the history contains a file > 100MB(hard limit for Github):

remote: error: GH001: Large files detected. You may want to try GitLarge File Storage - https://git-lfs.github.com.

[..]

remote: error: File data/CVE/allitems.html is 111.44 MB; this exceedsGitHub's file size limit of 100.00 MB

So we would have to re-write history for pushing to GitHub. Commits from2017-12-29 that introduce "data/CVE/allitems.html" and drop it againwould need to be modified. Technically all commits after these have tobe re-written as well. I have not tested whether Github supportsrefs/replace substitutes which would be a work-around.

As noticeable on Salsa and perhttps://gitlab.com/gitlab-com/support-forum/issues/230 Gitlab does notenforce per-file size limits.But the pain of hosting and using this repo is not really different forany Gitlab instance.

So that means self-hosting of a non-split-file repo would probably haveto be on a security DSA machine or similar.

Again, as said above, discussion participants outside the security teamwould prefer a commitment to split the offending data/CVE/list file intoannual chunks, enable the tooling and stay on salsa.

Reply to:

Prev by Date: Missing bug references for embedded-code-copies data
Next by Date: External check
Previous by thread: Missing bug references for embedded-code-copies data
Index(es):
- Date
- Thread