[Cryptech Tech] Repos, releases and system structure (Was: Re: Reminder)

[Joachim Strömbergson]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Aloha!

(Late to the party. And I changed the topic to something hopefully more
relevant. And moving this discussion to @tech since some of our
followers might have good ideas, requests on things like these. If this
was wrong, I'm sorry.)

Linus Nordberg wrote:
> Rob Austein <sra at hactrn.net> wrote Wed, 24 Sep 2014 09:30:29 -0400:
> 
> | At Wed, 24 Sep 2014 12:33:24 +0200, Linus Nordberg wrote: | > | >
> Randy Bush <randy at psg.com> wrote | > Wed, 24 Sep 2014 18:34:59
> +0900: | > | > | building a novena system or one for terasic or
> whatever requires pulling | > | sources from a number of repos.  in a
> coupld of months, we're expecting | > | folk such as bellovin,
> turner, and jane user to follow our wiki path to | > | a testable
> somethingorother.  it would be nice if they did not have to | > | git
> pull a bunch of repos, but have some over-repo requiring just one | >
> | pull. | > | | > | how do we design and do that? | > | >
> GIT-SUBMODULE(1) | | Agreed that this is probably one of the tools we
> need to use, but be | warned that it's not that simple.  submodules
> are a complicated | mechanism and you're not going to get something
> so simple that you can | just get everything with a simple "git
> clone" command. | | What we're talking about here is a "superproject"
> as described briefly | in an offhand comment in: | |
> http://git-scm.com/book/en/Git-Tools-Submodules | | Since the
> superproject is itself a repository with commits, we now | have the
> issue of who is making those commits?  Human?  Robot?  Both? |
> Coordinating how?  Is the intent that HEAD of the superproject
> always | track HEAD of all the submodules (which would require a
> script, since | submodules don't track symbolic references) or that
> the superproject | track the most recent //tested// version (in which
> case all the | previous questions apply, with the additional question
> of "tested by | whom or by what?").
...
> 
> | I think the underlying problem, though, is not tools, it's absence
> in | the story to date of a role we haven't discussed much: the
> release | engineer.  If we had such a person, that's who would own
> the | superproject, and that's who would own the "tested by whom"
> question | above (not necessarily the person //doing// the testing,
> but | responsible for making sure it gets done and that its output
> is | factored into decisions about what to commit to the
> superproject).

Yes!

I think we need to start to consider doing official releases of either
only the complete Cryptech system or the system and underlying systems
as well. I can for example see the trng as being one such system where
we can basically now start tagging numbered releases and write release
notes for official versions.

This would make it much easier for users/implementers to follow what we
do and see the progress in terms of functionality.

Another related issue is that we start using issue tracking for new
features, bug fixes etc. This would make our development even more
transparent, but also allow other to contribute suggestions, issues and
solutions (hopefully).

Thoughts on how we do this best? Or not.
- -- 
Med vänlig hälsning, Yours

Joachim Strömbergson - Alltid i harmonisk svängning.
========================================================================
 Joachim Strömbergson          Secworks AB          joachim at secworks.se
========================================================================
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBCAAGBQJUM4ZRAAoJEF3cfFQkIuyN27QP/0NitTFK62elAwPg5PpqP79U
dIIk7Q1GK1WLBGOKnvPYMpi/yGOIk3RYNQ7t4y74wKNMIjTLqkLnSHTqzQ7NgH2F
CsdwP20Ch9PbcYjNJQ4lSdFOzX+OJNbXZHTRKBOyN240Y+vIpCtq93bW0UHg5/Ww
3TbMMUnARf53gM96jvUz2c8hJTjDR0OKzFgycaz17IRpjtdwS1l+9ET/943XOp0E
aXz5CBE1h4Kbc+M0Z+FJqGbj8ew0+RVl5Hj6XKcXRtERYcrnz04OmsRva1+zYj6a
1xlmbmcL3jEt8Le2KRNg7ubWhgWl+4PQX/jhbrikow/b8mPKIzolh7QP1uiwrrTX
ceT3ffhfWfUGtvRUTYsZEVD4rQ/UuJWZFJ84MgwbEGJz2wm2NC/jSqJx8De65Emq
zkZ0ubYdEEFg6KJeWhhu1W3YOf55I/hX3KHWQQIInZL78ai0t/OE6b9rTSo/qCC7
Xz0ur+BZzf5zBSOBsxgVPwv9/TzNyztxRv7rY1t8raTkKaOTeCCgC01/wZxhZgDe
71qIP6NaP5u59PN95iRdAuNeIhueTOFwQpWcfU8NfsRimmlArysoHW9lIHq0dkpr
rVESofUf/1IvjCrcGykiI8PPDqsR0EIAu10kTCc2veWCGHMKwCZRACFfxd54pUXw
cnJzZgklawyEt+xpzb1Y
=3eSB
-----END PGP SIGNATURE-----