(maint) - Release prep v4.2.2 #178
Conversation
Would it make sense to publish to both? Facter gets released as GPG signed to https://downloads.puppet.com/ which feels like the right thing to do here. In Fedora's Facter packaging I use that as the official source (and verify the GPG signature). IMHO that gives way more supply chain safety than publishing to GitHub and also consistency to the community. |
| @@ -2,12 +2,14 @@ $LOAD_PATH.push(File.expand_path('lib', __dir__)) | |||
| require 'puppet-lint/version' | |||
|
|
|||
| Gem::Specification.new do |spec| | |||
| spec.name = 'puppetlabs-puppet-lint' | |||
| spec.name = 'puppet-lint' | |||
There was a problem hiding this comment.
This was merged quite fast. I would have suggested to revert the original commit instead. Or at least do the change in a dedicated PR and not the release PR. I think the renaming is a quite significant change and now it won't appear in the changelog?
I assumed and I'm still hoping that the final gems will be released to github and rubygems. Vox Pupuli follows the same pattern and that was also our recommendation in the last Vox Pupuli monthly meeting. |
|
@bastelfreak @ekohl - Lets discuss. We're going to re-open the discussion |
|
A In the case of Vox Pupuli, we don't depend on puppet-lint directly. Instead, we pull it in via group :test do
gem 'voxpupuli-test', '~> 7.0', require: false
endIf you don't publish to Rubygems, we need to change this to: group :test do
gem 'voxpupuli-test', '~> 7.0', require: false
source 'https://rubygems.pkg.github.com/puppetlabs' do
gem 'puppet-lint'
end
endOut of interest, I just tried to at least consume $ bundle update
Authentication is required for rubygems.pkg.github.com.
Please supply credentials for this source. You can do this by running:
`bundle config set --global rubygems.pkg.github.com username:password`
or by storing the credentials in the `BUNDLE_RUBYGEMS__PKG__GITHUB__COM` environment variableSo that will make consuming My recommendation:
For Fedora RPM packaging of Facter & Puppet I verify the GPG key (https://src.fedoraproject.org/rpms/facter/blob/rawhide/f/facter.spec#_64 & https://src.fedoraproject.org/rpms/puppet/blob/rawhide/f/puppet.spec#_64) and I'll do the same for puppet-lint if possible. The PDK can then consume gems from a verified source, either via GH or downloads.puppet.com. I don't know the PDK build process, but perhaps just being able to verify a gem is signed and is identical to what's on Rubygems is sufficient assurance for customers. |
There was a problem hiding this comment.
Another note: the changelog does indicate 5.0.0:
Lines 8 to 13 in e981b19
No 4.2.2 entry exists.
As @bastelfreak said, a straight forward git revert would have been easier to follow.
Thanks for the in-depth analysis @ekohl. RE The changelog, this was an oversight and will be corrected in the next release of puppet-lint. |
Summary
Rolling back release v5.0.0.
Releasing puppet-lint gem with reference to newly published rubygem on GitHub registry.
Have added original owner back as this will be the final release under https://rubygems.org/gems/puppet-lint.
Additional Context
Add any additional context about the problem here.
Related Issues (if any)
Mention any related issues or pull requests.
Checklist