dive icon indicating copy to clipboard operation
dive copied to clipboard

Published 20 hours ago verified publisher icon wagoodman

Debian repo

Open im-n1 opened this issue 7 years ago • 13 comments

Hi there, any plans with pushing this awesome piece of software into Debian repo? Or running your own?

im-n1 avatar Nov 05 '18 08:11 im-n1

Since I'm already leveraging goreleaser for generating RPMs and DEBs I'd like to enhance that project first, then it would be pretty trivial to make PPA/COPR/Debian repos. Added an issue in goreleaser (https://github.com/goreleaser/goreleaser/issues/864) to add SRPM support.

wagoodman avatar Nov 07 '18 01:11 wagoodman

It could make sense to also send a RFP to debian tracker, but package might be renamed because it would conflict with https://bugs.debian.org/726779 ? maybe dive-docker or go-dive ? any preference ?

rzr avatar Aug 12 '19 14:08 rzr

Good catch, @rzr . In the future I'm hoping to integrate more tools and engines with dive, so tying it directly with docker would be misleading in the future. The fact it's go is fairly arbitrary too. How about dive-container? I'm open to more suggestions.

wagoodman avatar Aug 14 '19 17:08 wagoodman

GitLab CI allows to create GitLab Pages with pipeline execution. This allows creation of a deb repo. It can be a temporary solution for the time it is not in the official repos. But it is a security disaster to store GPG private keys on CI.

KOLANICH avatar Sep 20 '19 19:09 KOLANICH

@KOLANICH How about running your own gitlab-runner? (On AWS, for example) Keep the GPG-key there. In ASM. In Vault. Anywhere.
Store password to this key as a secret-variable?

More-over, use intermediate GPG key. And never GPG-CA anywhere?

limakzi avatar Sep 20 '19 20:09 limakzi

How about running your own gitlab-runner? (On AWS, for example)

Only on dedicated physical machine. Remember about microarchitectural cross-vm attacks.

Keep the GPG-key there. In ASM. In Vault. Anywhere.

Probably in a HSM.

Though all these measures are infeasible. Here is a feasible measure that should be done anyway:

  • separate builds to the ones done and signed manually and ones done automatically and say that ones done automatically are less trusted;

  • make the builds reproducible to allow everyone to check if build infrastructure acts trustworthily.

KOLANICH avatar Sep 22 '19 19:09 KOLANICH

Just to be sure: is there any official RFP for Debian somewhere? Or something similar that can be tracked?

alexanderadam avatar Jun 09 '20 07:06 alexanderadam

None I know but I can create one for dive-container ? or can you suggest an other name ?

rzr avatar Jun 09 '20 08:06 rzr

None I know but I can create one for dive-container ? or can you suggest an other name ?

You should just call it dive. There is currently no package with that name, so you can use this one. Suffixes are usually only applied for a variation of software or if the name is already taken. If it is not, just use the original name, which is dive.

theAkito avatar Jun 09 '20 08:06 theAkito