Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

import: bump timestamp/snapshot for some scheduling leeway #395

Closed
jku opened this issue Aug 12, 2024 · 4 comments
Closed

import: bump timestamp/snapshot for some scheduling leeway #395

jku opened this issue Aug 12, 2024 · 4 comments
Assignees
@jku

Comments

@jku
Copy link
Member

jku commented Aug 12, 2024

During a repository import there is a scheduling annoyance where the "legacy" repository may still bump timestamp/snapshot while the initial signing event is being constructed. This seems like it sets a tight limit to the initial signing event...

There is a simple solution to this since timestamp/snapshot versions do not have to be sequential (they only have to be increasing): We can just make a significant bump to snapshot and timestamp versions during the import . This ensures a few "legacy updates" won't make the signing event invalid.
@jku jku self-assigned this Aug 12, 2024
@jku jku mentioned this issue Aug 12, 2024
Closed
17 tasks
@jku
Copy link
Member Author

jku commented Aug 13, 2024
edited
Loading

I've been reviewing the code for this: online-sign should just work as there is no checks that online role versions move sequentially. The "blockers" are:

  • signing-event safety check that fails if online roles have any changes in them.
  • the annoyance of merging with conflicts

That said, I think we can handle this by just rebasing the signing event PR when the signing event is ready: I think it just works.

I will test this out in a test repo

@jku
Copy link
Member Author

jku commented Aug 13, 2024
edited
Loading

Wait, I'm actually wrong: We don't need to do anything since the signing-event does not modify online roles* even in the import signing event! So the merge to main should be clean automatically if we don't modify online roles in main... I will still test this but we should be fine

(*) at some point this was not true, and I kept remembering that

@jku
Copy link
Member Author

jku commented Aug 13, 2024
edited
Loading

So the merge to main should be clean automatically if we don't modify online roles in main

Right, playing the update through "on paper" this requirement means:

  • When we are ready to start a signing event we make a copy of metadata from legacy repository/repository/ to tuf-on-ci metadata location metadata/ using prep-import.py script contained in sources: these copies are functionally equivalent but just formatted by different tools
  • then we let the signing event happen likely over multiple days
  • during this the online roles in legacy dir repository/repository/ may be updated
  • Before we merge signing event we can make new PRs where we re-run the prep-import.py script, copying the online changes to tuf-on-ci metadata location metadata/

signing-event PR then merges cleanly and repo should be 100% correct even if legacy online signing happened

@jku
Copy link
Member Author

jku commented Sep 9, 2024

the process in the last comment worked fine

@jku jku closed this as completed Sep 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jku jku

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jku