00:27.27 | makfinsky | herlo: Ok, finished early. |
00:27.38 | makfinsky | Didn't end up cooking, just ate left overs. |
00:29.53 | herlo | nice |
00:30.13 | herlo | makfinsky: well, I got comfy on my floor in the office, and considered some things |
00:30.38 | herlo | the workflow for skein is solid, and I don't think it's necessary to change it, but I do need to look at each piece of the workflow |
00:31.23 | herlo | before doing that, however. It occured to me that we need to consider how people join the project and how that will determine the workflow of our tools. In this case, how skein is affected. |
00:31.48 | herlo | So I started thinking about that, and realized that we need to have some sort of schema like Fedora does. |
00:31.54 | herlo | something like: |
00:32.07 | herlo | 1) Sign Contributor Agreement |
00:32.16 | herlo | 2) Push ssh pubkeys |
00:32.28 | herlo | 3) ???? |
00:32.31 | herlo | 4) Profit |
00:32.51 | herlo | But the thing is, we already have them needing to create an account on github |
00:33.18 | herlo | so I considered a few things there, and figured since we're using github, we could have them do things the github way. With a few tweaks, of course |
00:33.38 | herlo | I created a repo gooseproject/contributors |
00:33.42 | herlo | https://github.com/gooseproject/contributors |
00:33.47 | herlo | currently, it has nothing in it |
00:33.50 | herlo | but I plan to add a few files |
00:34.13 | herlo | One is a CONTRIB file, to which any contributor who joins the project will add their information |
00:35.22 | herlo | Full Name, Email Address and/or github username |
00:36.12 | herlo | Above this information, will be the Contributor Agreement and by them putting their Full Name and at least one other piece of info, they will grant GoOSe Project full license to any contributions they make |
00:36.51 | herlo | I'm also debating another piece. |
00:37.13 | herlo | makfinsky: one where they will have to push their ssh pubkey to the repository as well. |
00:37.58 | herlo | Essentially, each new contributor, starting with us of course, will fork this repo, e-sign the CONTRIB file and add our ssh pubkey |
00:38.07 | herlo | then do a pull request |
00:38.53 | herlo | someone already in the project will be notified of the pull request, contact the individual and confirm info. Once confirmed, a merge will be performed and they will be an official contributor. |
00:39.42 | herlo | makfinsky: during the merge, the contributor will be added to the 'GoOSe' group |
00:40.39 | herlo | this will be the main group and only exist in the gooseproject organization. Belonging to the GoOSe group will allow contributors to submit requests to the gooseproject-main repo |
00:40.51 | herlo | specifically, new repo requests with skein. |
00:41.28 | herlo | Each new repo request can be filed via skein or via the github website |
00:41.56 | herlo | If the request is filed via the website, the contributor will have to follow a particular template. |
00:42.13 | herlo | makfinsky: thoughts? |
00:43.33 | makfinsky | Sorry herlo, reading back log. |
00:45.51 | makfinsky | Interesting! I like the github pull idea for approvals. |
00:49.07 | herlo | makfinsky: well it proves that a contributor can follow instructions and understands the github workflow :) |
00:49.20 | makfinsky | One tricky thing we'll have to deal with is groups. Contributors will have to be placed into appropriate groups. Some folks won't be code or pkg contributors. Some may work on docs, etc. |
00:49.30 | herlo | makfinsky: indeed |
00:49.36 | makfinsky | Yeah, I dig that. Barrier to entry is necessary. |
00:49.40 | herlo | which is what I was thinking about |
00:50.06 | herlo | so have you ever used zodbot in #fedora-ambassadors or any of the fedora irc channels? |
00:50.57 | makfinsky | A little bit, just mimicked what I'd seen others do in the channel. |
00:51.08 | herlo | right, so there's a bunch of different functions |
00:51.13 | herlo | like .fas herlo |
00:51.17 | herlo | and .fasinfo herlo |
00:51.31 | herlo | .fas herlo searches for a contributor named herlo |
00:51.47 | herlo | .fasinfo herlo assumes the username herlo is correct and returns a list of groups |
00:52.00 | herlo | additionally, you can do .whoowns <package> |
00:52.15 | herlo | and there's lots of little functionalities like that that are linked into fas |
00:52.20 | herlo | we can do the same with github and goose |
00:52.36 | herlo | <PROTECTED> |
00:52.37 | makfinsky | Yeah, that'd be pretty neat. |
00:52.43 | makfinsky | Good diea. |
00:52.50 | makfinsky | s/diea/idea/ |
00:53.22 | herlo | makfinsky: writing a supybot plugin is pretty easy. We could probably get you started on doing that with just a bit of instruction |
00:54.13 | makfinsky | Ok, just as soon as I get these other few things done. ;) |
00:54.28 | herlo | haha, no worries |
00:54.56 | herlo | makfinsky: the point is that I think we need to think about how a contributor comes online to better have them work within the goose project |
00:55.15 | makfinsky | Agreed. |
00:55.38 | herlo | specifically, they need to understand the steps to go from being a basic contributor into other areas, like docs, packager, etc |
00:56.24 | makfinsky | Right. |
00:59.24 | herlo | makfinsky: if you have time tonight and a desire, we need a CONTRIB file with some sort of basic agreement in it... |
00:59.49 | herlo | https://github.com/gooseproject/contributors |
01:00.05 | makfinsky | Oof, I don't think I can tonight. Am about to pass out. |
01:00.07 | herlo | is getting hungry and we're about to go grab some food for an hour or so... |
01:00.17 | herlo | makfinsky: it's all good. I can do it when I get back. |
01:00.27 | herlo | makfinsky: but this does sound reasonable, no? |
01:00.41 | makfinsky | It does, very reasonable. |
01:00.46 | herlo | cool |
01:02.06 | herlo | thanks for the help |
01:02.21 | makfinsky | Yessir! |
01:02.29 | makfinsky | Now I go pass out. |
01:02.36 | herlo | :) |
01:02.37 | herlo | nn |
01:12.14 | shalkie | Hooray for passout! |
01:12.16 | shalkie | :-) |
01:13.15 | Nafai | I've done that way too much the last few days :( |
01:38.08 | *** join/#gooseproject makfinsky1 (~imak@c-76-104-102-5.hsd1.va.comcast.net) |
02:25.33 | herlo | hi all |
02:25.48 | herlo | shalkie: did you read the workflow I was talking about with makfinsky ?? |
02:26.13 | Nafai | Hey herlo |
02:26.32 | herlo | Nafai: hi |
02:26.35 | Nafai | herlo: Does there happen to be a tool that helps you make VM images of CentOS/etc? |
02:26.36 | herlo | how about you... |
02:26.44 | herlo | Nafai: like what? |
02:26.56 | herlo | thinks kickstart is a pretty good tool |
02:27.08 | herlo | but if you already have an image? |
02:29.55 | Nafai | https://help.ubuntu.com/8.04/serverguide/C/ubuntu-vm-builder.html |
02:30.45 | Nafai | Like that |
02:32.51 | herlo | Nafai: you mean like qemu and virsh? |
02:33.04 | herlo | points out that is basically what ubuntu vm builder is doing |
02:35.10 | herlo | Nafai: it's basically just a clone, which you can do with virt-manager |
02:36.16 | herlo | Nafai: virt-image - create virtual machines from an image descriptor |
02:41.27 | Nafai | nods |
02:42.23 | herlo | Nafai: is that what you were looking for? |
02:45.02 | makfinsky | I think boxgrinder might more what he's looking for. |
02:45.21 | makfinsky | https://fedoraproject.org/wiki/Features/BoxGrinder |
02:45.32 | makfinsky | And now I am off to bed. For realz. |
02:45.55 | herlo | makfinsky: ahh, yeah, maybe |
02:45.58 | herlo | nn |
02:49.06 | Nafai | Yeah, something like any of those |
02:55.50 | herlo | cool |
03:15.37 | monsterb | hello goozbach | all |
03:16.11 | herlo | monsterb: hallo |
03:16.17 | monsterb | I found out about goose project from 'this week in fedora' podcast. |
03:16.26 | herlo | monsterb: welcome! |
03:16.34 | monsterb | thx |
03:16.38 | herlo | Jonathan is awesome! |
03:16.51 | herlo | I was so happy he wanted to do the interview |
03:17.16 | herlo | monsterb: we're glad you made it here. |
03:17.21 | monsterb | yeah, i met jonathan in person few weeks ago at ohio linux fest. |
03:17.43 | herlo | me too! |
03:17.55 | herlo | OLF was pretty good this year, too. |
03:18.11 | monsterb | yeah, i always enjoy it |
03:18.19 | herlo | you live out that way? |
03:18.53 | monsterb | nw indiana.. columbus is 5 hr drive |
03:19.17 | herlo | ahh. I live in Salt Lake, but drove up from Bowling Green, KY. Also about a 5hr drive |
03:19.37 | herlo | btw, I saw you run oggcastplanet.org |
03:20.07 | herlo | looks like a pretty cool site! |
03:20.11 | monsterb | yeah and monsterb.org |
03:20.15 | monsterb | thanks |
03:20.31 | herlo | checks that out |
03:21.10 | herlo | I like your sites |
03:21.44 | monsterb | my sites are simple like me :P |
03:21.48 | herlo | hehe |
03:22.00 | herlo | I see you run Arch. I have a few friends who love that distro |
03:22.46 | Nafai | I've been playing with it lately, not sure if I'm willing to commit heresy though. |
03:23.35 | herlo | lol |
03:23.41 | herlo | not sure it's heresy |
03:24.03 | Nafai | I've been in the fold of Debian and Ubuntu for so long... |
03:24.16 | monsterb | yeah, i like bleeding edge on the desktop. My servers I run debian stable.. I would like to try goose on new server im building. |
03:24.36 | herlo | cool, well we're still building RPMs, but we'd love to have testers like you |
03:25.25 | herlo | monsterb: I think by the end of this week, we should have everything migrated to our new buildroot and can start cranking through packages to make GoOSe work. |
03:26.29 | monsterb | cool, im waiting on a few parts.. should be here by Sat. |
03:27.14 | monsterb | how far along is an ISO ? |
03:27.32 | Nafai | herlo: dude, I can't find a link for the episode |
03:27.39 | herlo | well, we're targeting EOY, but I think we could have it much faster after we get a bit more automation in place |
03:27.49 | herlo | Nafai: for This week in Fedora? |
03:27.59 | herlo | frostbitemedia.org |
03:28.23 | herlo | http://www.frostbitemedia.libsyn.com/rss/twifogg <-- this is the feed |
03:28.52 | Nafai | I guess I'll just find it in the feed |
03:28.57 | Nafai | I have no reason to subscribe :) |
03:29.21 | monsterb | prob latest show |
03:29.46 | Nafai | The latest episode linked on the show page is from 2010 |
03:29.58 | herlo | Nafai: that's the fedora wiki page |
03:29.58 | Nafai | got it |
03:30.20 | herlo | but they have the ogg feed on there |
03:30.52 | monsterb | Nafai: wget http://traffic.libsyn.com/frostbitemedia/TWIF_035.ogg |
03:31.23 | Nafai | monsterb: thanks, grabbing it now :) |
03:32.48 | herlo | is watching baseball instead of working on the join process |
03:36.41 | monsterb | herlo: http://oggcastplanet.org/unstable/ <-- if you would like an account to post about goose.. let me know. It's picked up by Linux Planet. Lxer and TuxMachines have linked to some of our posts. |
03:37.50 | herlo | cool |
03:38.04 | herlo | monsterb: for now, we don't have any ogg type podcasts yet, but that'd be great! |
03:38.17 | herlo | if we get to that point sometime down the road, that is |
03:38.34 | *** join/#gooseproject makfinsky (~imak@c-76-104-102-5.hsd1.va.comcast.net) |
03:38.58 | monsterb | UNSTABlE is just a blog. |
03:40.48 | herlo | ahh, cool |
03:42.13 | herlo | monsterb: we do have http://planet.gooseproject.org |
03:43.29 | monsterb | cool, bookmarked |
03:43.53 | herlo | monsterb: we're working on a better main site too |
03:44.02 | herlo | http://gooseproject.github.com/ |
03:46.49 | monsterb | i'll check it out, catch u later |
03:50.05 | herlo | ciao |
04:44.05 | *** join/#gooseproject herlo (~clints@fedora/herlo) |
04:44.05 | *** join/#gooseproject Nafai (~nafai@travishartwell.net) |
04:44.05 | *** join/#gooseproject goozbach (~goozbach@fedora/goozbach) |
04:44.05 | *** mode/#gooseproject [+oo herlo goozbach] by niven.freenode.net |
05:40.53 | shalkie | Herlo: I don't think I have read about the workflow yet. |
06:12.23 | herlo | shalkie: scroll up |
06:12.30 | herlo | it's all in the irc channel |
06:54.28 | shalkie | I could use some feedback on the post. http://theadamsresidence.net/?p=115 |
06:55.06 | shalkie | goozbach: herlo ^^ |
06:55.17 | herlo | k |
06:55.27 | herlo | reads |
06:55.36 | herlo | suggests shalkie also reads |
06:55.55 | herlo | shalkie: Not found! |
06:56.29 | herlo | suspects that's because he doesn't have a login |
06:57.05 | shalkie | http://theadamsresidence.net/?p=115&preview=true |
06:57.22 | shalkie | herlo: Try that link |
06:58.32 | herlo | okay |
06:58.40 | herlo | shalkie: not found! |
06:59.06 | shalkie | :-( |
07:00.51 | shalkie | First linke should work now. |
07:01.23 | herlo | k, I'll try it now |
07:02.57 | herlo | shalkie: I can read it tomorrow |
07:03.10 | herlo | but I have the page up no problem |
07:03.18 | shalkie | :-P |
07:03.49 | herlo | shalkie: so have a read on this |
07:04.03 | shalkie | I should probably be headed to bed soon too. |
07:04.06 | herlo | https://github.com/gooseproject/join/blob/master/README.rst |
07:04.14 | herlo | shalkie: it'll only take a moment |
07:04.39 | shalkie | is reading |
07:04.55 | herlo | realizes the formatting is off |
07:06.03 | shalkie | looks good. |
07:06.52 | herlo | :) I gotta get goozbach to look at it tomorrow, but this may be a simple way to get people on board quickly and doing work! :) |
07:07.14 | herlo | shalkie: if you wanna join GoOSe, you gotta do these steps, too :P |
07:07.49 | shalkie | What? Oh man. I guess I have something to do tomorrow. :-D |
07:11.09 | herlo | hehe |
07:11.13 | herlo | nn shalkie |
07:11.28 | herlo | goes to get some ZZZZzzzzs |
07:11.44 | shalkie | nn herlo |
07:12.37 | shalkie | is off to bed as well. |
07:12.41 | shalkie | night all |
10:01.51 | *** join/#gooseproject makfinsky (~imak@c-76-104-102-5.hsd1.va.comcast.net) |
13:10.43 | *** join/#gooseproject goosebot (~supybot@newkessel.friocorte.com) |
14:10.26 | *** join/#gooseproject makfinsky (~imak@c-76-104-102-5.hsd1.va.comcast.net) |
15:08.05 | goozbach | herlo pong |
15:14.23 | goozbach | hhh |
15:14.29 | goozbach | hmm |
15:14.34 | goozbach | my backlog froze |
15:14.39 | goozbach | goosebot: ping |
15:14.39 | goosebot | pong |
15:16.18 | herlo | goozbach: pong |
15:16.49 | goozbach | herlo: ponging you from last night |
15:17.30 | goozbach | herlo: re join |
15:17.39 | goozbach | I think it's a good first step in getting people together |
15:18.35 | herlo | goozbach: cool, do you want to add yourself to the join tree by following the instructions? |
15:19.01 | herlo | goozbach: in other words, not just pulling and pushing, but forking and sending a pull request? |
15:20.23 | herlo | goozbach: I'm fixing the contrib.rst right now, but it shouldn't take but a minute |
15:23.16 | herlo | goozbach: k, I'll watch for the pull request :) |
15:24.54 | goozbach | I will; please hold |
15:25.43 | herlo | :) |
15:31.45 | goozbach | https://github.com/gooseproject/join/pull/1 |
15:31.50 | goozbach | did I do it right? |
15:32.11 | herlo | dunno |
15:32.15 | herlo | let me see if I got a notification |
15:32.16 | goozbach | :) |
15:32.43 | herlo | w00t! I see the pull request |
15:33.48 | herlo | goozbach: very nice |
15:33.55 | herlo | pushed your changes |
15:35.10 | herlo | https://github.com/gooseproject/join/blob/master/CONTRIB.rst |
15:35.18 | goozbach | shalkie: I like the post |
15:35.24 | goozbach | blog post that is |
15:35.52 | herlo | https://github.com/gooseproject/join/pull/1 |
15:35.58 | herlo | closed! |
15:36.18 | goozbach | nice! |
15:36.22 | herlo | goozbach: so the next part is to debate how we get ssh keys |
15:36.23 | goozbach | I'm a contributor now!!! |
15:36.24 | herlo | distributed |
15:36.32 | herlo | goozbach: indeed! |
15:36.36 | goozbach | there's the ssh key repo I built |
15:36.39 | herlo | I know |
15:36.40 | goozbach | may be a good start |
15:37.00 | herlo | I'm thinking more like where they can upload their keys so we can perform that step |
15:37.14 | goozbach | fork and pull request the keys |
15:37.20 | herlo | considered having them put them right into the join repo, but that seemed a bit blatant |
15:37.29 | goozbach | pubkeys are just that |
15:37.32 | goozbach | public |
15:37.35 | goozbach | no? |
15:37.52 | herlo | I agree. I've just never seen anyone publicize ssh keys like that |
15:38.00 | herlo | even Fedora has them behind fas at least |
15:38.59 | herlo | goozbach: I'm actually fine with fork and pull request on keys, too. Just wanted to get opinions on security risks and what the general feel will be from potential contributors |
15:39.50 | goozbach | good idea |
15:39.55 | goozbach | bring it up on the mailing list |
15:39.57 | goozbach | let's ask! |
15:40.20 | herlo | k |
15:40.49 | herlo | goozbach: oh, to that point. I've been trying to be a bit more verbose about what I am doing on the ml. I think it is a good rule of thumb for everyone. |
15:41.28 | goozbach | good idea all around |
15:41.46 | herlo | k, sending email shortly |
15:43.08 | goozbach | gets to work with $dayjob |
15:43.43 | goozbach | I need to add user accounts for the team to access goosebot |
15:44.27 | herlo | goozbach: make a goosebot team maybe? |
15:44.38 | herlo | goozbach: I had one other question if you have just another minute |
15:45.30 | herlo | specifically, submitting issues to the 'GoOSe' repository is the privilege of being a contributor |
15:45.42 | herlo | should we have that be its own repo, or use gooseproject-main?? |
15:46.11 | herlo | is leaning toward the former, with nothing in it really but a readme |
15:46.36 | goozbach | I'll ahve to think about both of those questions |
15:47.00 | herlo | contributors can file requests for new repos, etc. Kind of a generic location for any issue that doesn't affect an upstream repo or specifically a project. |
15:47.07 | herlo | goozbach: k |
15:47.24 | herlo | for now, I will leave the repo list empty in the GoOSe team |
16:12.03 | herlo | makfinsky: ping |
16:12.19 | herlo | https://github.com/gooseproject/join |
16:12.24 | makfinsky | Pong. |
16:12.34 | makfinsky | Reading now. |
16:12.44 | herlo | follow the instructions, don't just clone the repo :) |
16:13.17 | makfinsky | I'd say ML is mandatory. |
16:13.28 | makfinsky | At least the main one, for now. |
16:13.50 | herlo | k, fix that in your fork :) |
16:13.57 | makfinsky | Will do. |
16:14.59 | makfinsky | Love this status message: "Hardcore Forking Action" |
16:15.20 | herlo | I know! |
16:15.25 | herlo | It's awesome :) |
16:33.01 | makfinsky | Hehe, is it wrong to merge my own pull request? |
16:33.17 | herlo | yes |
16:33.57 | herlo | makfinsky: I just pushed the changes |
16:35.01 | makfinsky | herlo: Thanks. I wasn't going to merge my own request. I found it amusing that GH instantly said to me "Merge Pull request now!" |
16:35.09 | herlo | lol |
16:35.30 | herlo | https://github.com/gooseproject/join/pull/2 |
16:35.34 | herlo | closed! |
16:36.07 | herlo | makfinsky: you didn't update the CONTRIB.rst file |
16:36.18 | makfinsky | Um, I did... |
16:36.28 | herlo | really?? |
16:36.36 | makfinsky | Double checking... |
16:36.38 | herlo | did you do two commits? |
16:36.56 | herlo | er, not CONTRIB |
16:37.01 | herlo | sorry, README.rst |
16:37.07 | herlo | makfinsky: ^^ |
16:37.11 | makfinsky | Oh, yeah, I didn't update that one... |
16:37.14 | makfinsky | Doing that now. |
16:37.26 | herlo | lol |
16:37.42 | goozbach | did you have to update README? |
16:37.48 | goozbach | cause I didn't |
16:37.50 | herlo | goozbach: no |
16:37.54 | goozbach | :) |
16:38.04 | herlo | he mentioned that he thought the ml should be mandatory and I told him to make the change :) |
16:38.35 | goozbach | ahh |
16:39.03 | makfinsky | Done. |
16:39.17 | herlo | did you do another pull request? or just push the changes? |
16:39.34 | herlo | oh, I see it now |
16:39.37 | makfinsky | Just did another pull req. |
16:39.47 | herlo | hehe, you can probably commit now |
16:40.02 | herlo | is pushing those changes now |
16:40.07 | makfinsky | I want some cover, I'm not going to tromp through here like it's my project alone... -0O |
16:40.20 | makfinsky | :-D |
16:40.21 | herlo | lol |
16:40.28 | herlo | we can revert with git, it's okay |
16:49.59 | herlo | anyone else have comment on this? https://groups.google.com/group/goose-linux/browse_thread/thread/8a4b17d851376ce3 |
16:50.26 | herlo | makfinsky: shalkie: Nafai: smooge: monsterb: CodeBlock: albino: Nafai ^^ |
16:50.38 | herlo | luvs that he put Nafai in there twice :) |
16:53.02 | makfinsky | Reading now. |
16:53.23 | makfinsky | Mulling it over. |
16:59.27 | albino | ssh keys are public, post them everywhere |
16:59.47 | *** join/#gooseproject goosebot (~supybot@newkessel.friocorte.com) |
17:07.04 | makfinsky | Even though public keys are called PUBLIC for a good reason, there will be folks out there who will complain. It becomes a question of how much, or how little, time we want to spend attempting to educate those folks. |
17:07.55 | makfinsky | If we ignore too many of them, it *could* have negative consequences for the project. I just don't know how much and of what kind. |
17:08.08 | makfinsky | I don't think it'll look badly on the project, per say. |
17:09.13 | makfinsky | More like it'll turn off those of us that are spending time contributing and trying to educate those, which might give the impression that we don't care about *new* folks if we begin ignoring them because we are burnt out on helping folks who don't know what *public* means. |
17:09.30 | makfinsky | Vicious circle type situation. |
17:10.56 | makfinsky | Other than the above argument, I'm all for public keys being posted publicly. They can only be used by a malicious person to give ME access to THEIR systems. |
17:24.41 | herlo | my one big argument is to the malicious folks. |
17:25.23 | herlo | Because we have public keys posted in a public place, they may have more intent to obtain our private keys and possibly hack into our systems. |
17:25.31 | herlo | While I see this as a low probability |
17:25.51 | herlo | I do see that if someone does somehow accidentally publish their private key, we may be in a world of hurt |
17:26.18 | herlo | it might be a good idea to gpg-encrypt the keys in the git repo |
17:27.04 | herlo | we have a GoOSe gpg key which we publish the public version and that way there is only one place where risk lies and its within the project itself, not on the individual users. |
17:27.54 | herlo | makfinsky: goozbach: what think you of that? |
17:29.13 | makfinsky | Hmm, you make a valid point about users publishing private keys by default. |
17:29.38 | herlo | well, in the git pull request, if they do it wrong, we're screwed |
17:29.39 | makfinsky | Even with a goose gpg key, they might still publish private keys by default, without gpg encrypting. |
17:29.43 | herlo | we'd have to reject it |
17:29.44 | makfinsky | Right. |
17:29.56 | herlo | and force them to use another |
17:30.16 | makfinsky | They've still published a private key to the world. |
17:30.34 | herlo | yeah, but it won't be in our servers if we do things properly |
17:32.38 | herlo | makfinsky: so I'm thinking more and more about a private repository that can be cloned and some sort of encrypted process of uploading keys. |
17:32.51 | herlo | but it means we have to maintain that... |
17:33.19 | makfinsky | I think we'll have to maintain the user db no matter what we do. |
17:33.32 | makfinsky | Unless we decide to trust something like oauth. |
17:33.32 | herlo | well, I don't |
17:33.57 | herlo | I think we'll have to maintain a semblance of a user db. Something like what gitolite does would suffice |
17:34.11 | makfinsky | Well, even then, we need to be able to maintain who is authorized to login. |
17:34.26 | herlo | that's on the github side |
17:34.27 | makfinsky | Not a userdb in the traditional sense, a list of who's allowed. |
17:34.34 | makfinsky | Right. |
17:34.56 | herlo | so my thought was more like having each person commit a ssh key to a private git repo somehow |
17:35.10 | herlo | each person names their key <gh-username>.pub |
17:36.07 | herlo | and it corresponds to the GoOSe group username |
17:36.11 | herlo | s/group/team |
17:38.56 | makfinsky | The first part is the trickier part. How do we manage that as an *open* project? |
17:39.23 | herlo | there isn't a requirement to make sure security is open |
17:39.37 | herlo | only that people we trust can get into the security area and contribute |
17:40.05 | makfinsky | Ok, I'll go with that. |
17:40.19 | herlo | :P It's the same mantra used in Fedora Infrastructure |
17:40.43 | herlo | they have apprentices now, which is how you get to the trusted point. It really doesn't take long if you are driven and smart. |
17:41.40 | makfinsky | Gotcha. |
17:42.49 | herlo | goes to post this convo into the ml |
19:03.25 | herlo | I like this solution: http://devcenter.heroku.com/articles/keys |
19:03.46 | herlo | but do it via an irc bot or command line tool |
19:38.34 | goozbach | herlo: this sounds like a good blog topic |
19:38.37 | goozbach | asking for help :) |
19:38.46 | herlo | :( |
19:38.57 | herlo | doesn't want to write it |
19:39.16 | goozbach | let me see if I understand the workflow |
19:39.25 | goozbach | 1) user creates ssh keypair for goose |
19:40.11 | goozbach | 2) user encrypts the pubkey with gooseproject gpg pubkey resulting in goose.gpg.pub(user.ssh.pub) |
19:40.36 | goozbach | 3) user puts goose.gpg.pub(user.ssh.pub) in a git repo hosted on github |
19:40.41 | goozbach | fork and pull request |
19:41.01 | herlo | yup |
19:41.05 | goozbach | 4) some audit system pings admins and says "there's a new key!" |
19:41.15 | herlo | that'd be email |
19:41.23 | herlo | at least for now |
19:41.41 | *** join/#gooseproject makfinsky (~imak@c-76-104-102-5.hsd1.va.comcast.net) |
19:41.53 | goozbach | 5) key is QA'ed somehow (check to see if it's a pubkey -- possible?, check keytype/size for aproval) |
19:42.07 | goozbach | maybe switch 4 and 5 |
19:42.22 | goozbach | if key passes qa test then alert admin |
19:42.34 | goozbach | 6) admin approves key. |
19:43.07 | goozbach | 7) system creates user accounts in all hosts that the user should have access to. and generates authorized_keys file |
19:43.49 | herlo | yeah, I think we can automate a pull verification and check that the key is public |
19:49.07 | herlo | goozbach: I think we're getting close |
19:49.22 | herlo | do you think it's too much work for a potential contributor? |
20:08.50 | goozbach | not if we create a script :) |
20:20.07 | goozbach | what if we just use FAS? |
20:20.24 | goozbach | and extend it to track github access |
20:20.26 | goozbach | ? |
20:20.34 | herlo | well, the point I was trying to avoid was extra infrastructure to maintain |
20:21.00 | herlo | otherwise, FAS or some simple ssh upload from would be fairly simple |
20:21.07 | herlo | goozbach: http://blog.printf.net/articles/2008/09/15/an-ssh-public-keyserver |
20:21.29 | herlo | not that I'd use this, but it's a simple enough implementation that if we threw ssl and github verification behind it, should be pretty simple |
20:23.36 | herlo | goozbach: another thought is to use dropbox |
20:35.15 | herlo | I like this: http://blog.dustinkirkland.com/2010/03/introducing-ssh-import-lp-id.html |
20:35.46 | herlo | but it doesn't talk about how launchpad does the work to get the contributor's ssh keys in the first place |
20:35.59 | herlo | but I know we have something already like this |
20:45.27 | goozbach | can we get at the sshpubkey from github I wonder... |
20:46.21 | goozbach | yup |
20:46.23 | goozbach | http://developer.github.com/v3/users/keys/ |
20:46.27 | goozbach | problem solved? |
20:46.33 | herlo | looks |
20:46.46 | herlo | oh shit! YES IT IS! |
20:46.51 | herlo | didn't think it was avaialable |
20:47.04 | herlo | awesome! |
20:47.14 | herlo | goes to look at github2 to see if it's in there as well |
20:50.57 | herlo | damn, maybe it's time to move to the v3 API |
20:51.34 | goozbach | v2 doesn't? |
20:51.55 | herlo | well, it might, but the github2 library I've been using doesn't |
20:52.29 | herlo | which means I either have to hack that code (possible) but it seems that v3 should have a similar stable api |
21:00.36 | herlo | well, there is this one, though it's very incomplete. It does show how to use python to connect to the v3 api |
21:00.39 | herlo | https://github.com/Cerberus98/Github-API-CLI/blob/master/github.py |
21:00.47 | shalkie | hack it! Hack it! |
21:01.27 | herlo | I think I might |
21:01.38 | herlo | seems github v2 API does have keys in the list |
21:02.14 | herlo | Hardcore Forking Action !! :) |
21:31.28 | *** join/#gooseproject makfinsky (~imak@c-76-104-102-5.hsd1.va.comcast.net) |
21:35.55 | herlo | dammit |
21:36.22 | herlo | well, to obtain an ssh key for a user on github, you must be authenticated |
21:36.27 | herlo | AS THAT USER :( |
21:37.08 | goozbach | ahh |
21:37.21 | goozbach | that complicates things... |
21:37.24 | goozbach | :) |
21:37.47 | herlo | s/)/(/ |
21:38.00 | herlo | ^^ that was for you, goozbach |
21:44.13 | Nafai | yawns |
21:47.30 | herlo | none of that! :) |
21:50.21 | Nafai | Sorry, just waking up :) |
22:05.15 | herlo | hehe, np |
22:09.43 | shalkie | ~. |
22:09.43 | ibot | methinks ~. is not the escape sequence you're looking for. |
22:10.09 | herlo | lol |
22:30.46 | shalkie | Apparently the authors of the github site are smart enough to allow me to approve my own pull request. |
22:37.32 | goozbach | well herlo the fact that users can do things with their keys means we could maybe write a plugin to FAS or whatever to manage github keys |
22:38.40 | herlo | shalkie: you weren't supposed to do that |
22:39.10 | herlo | shalkie: the reason you could is because you are an admin for the organization |
22:39.14 | herlo | :) |
22:39.36 | herlo | so while it would have been better if one of us had merged it for you, it's all good |
22:40.05 | herlo | goozbach: we're going to need the keys separate from github |
22:40.16 | herlo | it might be time to start thinking about building out a fas server |
22:40.32 | herlo | albeit, I think fas is a bit of overkill for us |
22:40.40 | herlo | at least atm |
22:40.52 | herlo | did find this: http://sites.google.com/site/jeromeboismartel/code-s-corner/ssh-key-management-with-skimp |
22:43.08 | herlo | it's more for hosting a bunch of servers and pushing keys around |
22:43.16 | herlo | which I think your make script is better probably |
22:48.12 | herlo | I think something like this is simple enough: http://cloudcontrol.com/developers/documentation/user-management/ssh-key-management/ |
22:50.03 | shalkie | herlo: I didn't think I did merge it. Did I? |
22:50.08 | shalkie | goes to look |
22:50.41 | shalkie | I sill see a pull request. |
22:50.46 | shalkie | s/sill/still |
22:51.59 | herlo | oh, okay |
22:52.11 | herlo | shalkie: I'm not sure what you were implying then |
22:52.19 | shalkie | Oh I tried to pull it. :-) |
22:52.40 | herlo | haha, you can do that :) |
22:52.42 | shalkie | Just noticed that it doesn't seem to honor me approving my own pull request. |
22:53.02 | shalkie | Hmmm.. Interesting. Eithe way I need it merged. :-) |
22:53.46 | shalkie | s/Eithe/Either/ |
22:53.53 | herlo | shalkie: what did you reformat? |
22:53.59 | herlo | is working on the merge |
22:54.25 | shalkie | My the length of the Email column. It was to short for my address. :-) |
22:54.28 | herlo | shalkie: not approving your pull request is a good thing imo... |
22:54.32 | herlo | shalkie: ahh, okay |
22:54.45 | herlo | see that now, thanks |
22:55.22 | shalkie | Re: not approving: You mean not honoring an approval for your own pull request? I agree. |
22:55.41 | herlo | right |
22:56.12 | herlo | shalkie: merged. Now you are an official contributor to GoOSe Project :) |
22:56.24 | shalkie | Hooray for being official, eh? |
22:58.16 | herlo | yeah! |
22:59.49 | herlo | who posted this? http://www.schwarz.eu/oss/wiki/2011/07/the-downfall-of-centos |
23:01.45 | goozbach | I think shalkie linked to it in his blogpost |
23:03.41 | herlo | ahh |
23:07.54 | shalkie | I did. Does it cause an issue? |
23:07.58 | herlo | no |
23:08.03 | herlo | I just enjoyed reading it |
23:08.20 | shalkie | Yeah, I like it too. :-) |
23:08.30 | shalkie | I really like how well he has referenced things. |
23:09.16 | herlo | indeed |
23:24.24 | *** join/#gooseproject makfinsky (~imak@c-76-104-102-5.hsd1.va.comcast.net) |