rebuild of pip mirror for production #134
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The pip mirror will now be used for production and for dev. To ensure that any wheels added are production-ready, they will be built in a prod-like environment and signed with the official release key.
When developers add or update a dependency, they will need to ping an owner of the SD release key to build/upload/sign the new dependency.
This was referenced Jan 24, 2020
kushaldas
approved these changes
Jan 27, 2020
There was a problem hiding this comment.
Key is correct, did a visual inspection of the rest of the changes.
$ ./scripts/verify-sha256sum-signature
gpg: key 310F561200F4AD77: public key "SecureDrop Release Signing Key" imported
gpg: Total number processed: 1
gpg: imported: 1
gpg: Signature made Friday 21 July 2017 05:42:16 AM IST
gpg: using RSA key 22245C81E3BAEB4138B36061310F561200F4AD77
gpg: Good signature from "SecureDrop Release Signing Key" [unknown]
gpg: aka "SecureDrop Release Signing Key <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 2224 5C81 E3BA EB41 38B3 6061 310F 5612 00F4 AD77
Checking that SHA256SUMs from mirror match signed file... OK
Approved. #133 needs a rebase after this.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Closes freedomofpress/securedrop-proxy#150
Build log: freedomofpress/build-logs@84508f5
To rebuild I deleted everything in
localwheels/, repulled source tarballs from PyPI and rebuilt wheels. I also noticed there were a lot of old references in our indices so I've purged them along with any old source tarballs or wheels for versions of packages we're never using. It looks like at some point we had the test/dev dependencies for securedrop-client on the mirror, so I've deleted all that. I also have completed the release signing ceremony for sha256sums.txt and removed all other maintainer keys.You can see in the CI build output here that all packages EXCEPT securedrop-client and securedrop-proxy built successfully: that is because those two packages point to specific wheel hashes in build-requirements.txt. I recommend in quick succession we:
At that point, we should be good.
related: we can do this update next week which will be a good test of this workflow freedomofpress/securedrop-proxy#140