Gitlab issueshttps://gitlab.torproject.org/tpo/tpa/gitlab/-/issues2024-03-27T15:21:35Zhttps://gitlab.torproject.org/tpo/tpa/gitlab/-/issues/98Investigate push-signing and transparency logs as mitigation for repository a...2024-03-27T15:21:35ZNick MathewsonInvestigate push-signing and transparency logs as mitigation for repository attacksFor background see:
* https://people.kernel.org/monsieuricon/signed-git-pushes
* https://korg.docs.kernel.org/gitolite/transparency-log.html
The idea here would be that some repositories (eg tor.git) could require signed _pushes_. Th...For background see:
* https://people.kernel.org/monsieuricon/signed-git-pushes
* https://korg.docs.kernel.org/gitolite/transparency-log.html
The idea here would be that some repositories (eg tor.git) could require signed _pushes_. Then we could archive these signed pushes in an append-only log, for auditing.
There are subproblems that would need to be solved for this to work:
* Only allow signed pushes on certain repositories (would require a per-repository gitolite hook).
* Allow signed pushes (requires setting certain options in gitconfig, see `certNonceSeed`, `certNonceSlop`, and `advertisePushOptions`)
* Make an append-only log of these signed pushes (possibly using trillian, possibly using some simpler transparency-log tool).
* Make a tool to audit this log and make sure that it's consistent and that it generates the current state of the repository.
* Decide what to do about key management.
And possibly:
* Make a tool that can be used at pull time to check the latest branch against the log.
There are also some sub-sub problems:
* Can we disable the merge button on target repositories?legacy Git infrastructure retirement (TPA-RFC-36)https://gitlab.torproject.org/tpo/tpa/gitlab/-/issues/152https link of comments at my user page on onion site cause the "Unable to con...2024-03-13T00:05:25Zsnowflake_user_40314https link of comments at my user page on onion site cause the "Unable to connect" errorReproduce step: on onion site of this GitLab instance click my avatar and click Commented on issue #xxxReproduce step: on onion site of this GitLab instance click my avatar and click Commented on issue #xxxhttps://gitlab.torproject.org/tpo/tpa/gitlab/-/issues/131gitlab logs hold too much information2023-06-28T18:43:31Zanarcatgitlab logs hold too much informationin https://gitlab.torproject.org/tpo/tpa/team/-/issues/40873 i found where gitlab keeps its logs and it turns out it keeps a lot of information, infringing on our normal policy to not even log the time of a request. we log IP addresses, ...in https://gitlab.torproject.org/tpo/tpa/team/-/issues/40873 i found where gitlab keeps its logs and it turns out it keeps a lot of information, infringing on our normal policy to not even log the time of a request. we log IP addresses, user agents, all sorts of garbage, and for a full month.
figure out how to tune that down at least a little.https://gitlab.torproject.org/tpo/tpa/gitlab/-/issues/71Send commits to mailing list(s)2022-10-31T14:01:56ZAlexander Færøyahf@torproject.orgSend commits to mailing list(s)The browser folks wants us to enable commit emails from fenix and other TB related repositories to their commit mailing list. We should find a way to do this in a structured way for the tpo/ namespace such that all our projects (also upc...The browser folks wants us to enable commit emails from fenix and other TB related repositories to their commit mailing list. We should find a way to do this in a structured way for the tpo/ namespace such that all our projects (also upcoming) gets these hooks enabled.
For now, we need to get Fenix and Tor-Browser.https://gitlab.torproject.org/tpo/tpa/gitlab/-/issues/76make wikis more editable2022-10-13T13:17:43Zanarcatmake wikis more editablewikis can only be edited by members of the Developer group in a project, according to the [upstream documentation](https://docs.gitlab.com/ce/user/permissions.html#project-members-permissions). that is problematic because that permission...wikis can only be edited by members of the Developer group in a project, according to the [upstream documentation](https://docs.gitlab.com/ce/user/permissions.html#project-members-permissions). that is problematic because that permission also grants access to the source code in a project.
we'd like to have more flexibility in that regard: wikis are ideal for drive-by contributions who we might not want to grant special privileges to. similarly, teams should be able to edit each other's wiki, since documentation is often collaborative across teams.
let's see if that's possible at all.
There's an upstream feature request to make [wikis publicly editable](https://gitlab.com/gitlab-org/gitlab/-/issues/27294) and another to [allow visitors to suggest edits](https://gitlab.com/gitlab-org/gitlab/-/issues/42412). the wireshark team uses a [separate wiki with MR wokflow](https://gitlab.com/wireshark/editor-wiki/) to allow outside contributions, but that feels rather clunky.https://gitlab.torproject.org/tpo/tpa/gitlab/-/issues/126Links to "Commented on issue" on GitLab user's activity use https on the onio...2022-08-29T20:38:20ZPier Angelo VendrameLinks to "Commented on issue" on GitLab user's activity use https on the onion serviceIf you go to GitLab user's activity from the onion service, the "Commented on issue #..." entries have a HTTPS URL instead of a HTTP one.
![Screenshot_from_2022-06-14_15-05-20](/uploads/40bc753ac596de727444b4c1030c5e96/Screenshot_from_2...If you go to GitLab user's activity from the onion service, the "Commented on issue #..." entries have a HTTPS URL instead of a HTTP one.
![Screenshot_from_2022-06-14_15-05-20](/uploads/40bc753ac596de727444b4c1030c5e96/Screenshot_from_2022-06-14_15-05-20.png)
All the other links seem to work.Jérôme Charaouilavamind@torproject.orgJérôme Charaouilavamind@torproject.orghttps://gitlab.torproject.org/tpo/tpa/gitlab/-/issues/43Calculate estimated and spent time automatically for tickets with task lists2022-05-30T19:08:43ZGeorg KoppenCalculate estimated and spent time automatically for tickets with task listsWe work around the unavailability of the Epics feature by using task
lists to denote parent/child relationships. One of the things that is
missing in that model is an update of the estimated/spent time in the
"parent" if things change on...We work around the unavailability of the Epics feature by using task
lists to denote parent/child relationships. One of the things that is
missing in that model is an update of the estimated/spent time in the
"parent" if things change on any issue listed in the task list. I am not
sure if that works for Epics but for us it would definitely be good to
have because some of use are trying to use parent tickets and task lists
to have tickets effectively on different milestones (the ticket itself
on milestone A while the parent ticket with ticket A on the task list on
milestone B) and we want to have proper time tracking for all of our
milestones.
I've not looked closely how we could solve this issue but maybe there is
a hook/plugin we can write that could help. The amount of dependent
tasks and their open/close status are already tracked automatically,
which is good and might provide us some insight on how to bolt the
timetracking onto that.
FWIW: This is not to say that those parent tickets should only reflect
the time tracking information for their issues in the task list. It
should be possible to add additional time spent etc. Just that the
figures can't be below the sum of the respective fields of the child issues.
Nested lists should be taken into account as well. :)
@doulget, @gaba, and @sysrqb for visibility as this came up yesterday in
during work on label clean-up.https://gitlab.torproject.org/tpo/tpa/gitlab/-/issues/50Allowing pushing to protected branches enables the Merge button on MRs2022-05-30T19:08:43ZGeorg KoppenAllowing pushing to protected branches enables the Merge button on MRsPreviously (for some value of it) "Allowed to merge" controlled which
users received a green Merge button on an MR and "Allowed to push"
controlled which users were allowed to push via `git push` to protected
branches.
I think that work...Previously (for some value of it) "Allowed to merge" controlled which
users received a green Merge button on an MR and "Allowed to push"
controlled which users were allowed to push via `git push` to protected
branches.
I think that worked reasonable in the sense that we could not merge
mistakenly to gitlab branches that were protected but the
torproject-pusher could sync over from git.tpo.
However, no it seems that the "Allowed to push" option is controlling
the Merge button, too. Even if no one is allowed to merge on protected
branches I get the green Merge button on MRs as long as "Allowed to
push" is enabled.
@sysrqb for notice as we talked about that problem earlier.https://gitlab.torproject.org/tpo/tpa/gitlab/-/issues/124Making GitLab more searchable for Tor Log entries2022-05-05T23:57:17ZcypherpunksMaking GitLab more searchable for Tor Log entriesComment on GitLab Layout:
Gitlab issues would be easier to search if the List overview contained a "symptom"-column or a search- & sort-able subtitle that matched the "symptom"s appearing in Tor Log since this is what people would copy/p...Comment on GitLab Layout:
Gitlab issues would be easier to search if the List overview contained a "symptom"-column or a search- & sort-able subtitle that matched the "symptom"s appearing in Tor Log since this is what people would copy/paste from Tor Log and search for.https://gitlab.torproject.org/tpo/tpa/gitlab/-/issues/96setup CI caching (and dependency proxy?)2022-03-24T23:28:18Zjugasetup CI caching (and dependency proxy?)I'm used to configure a cache in `gitlab-ci.org`, but maybe tpo isn't configured for [that](https://docs.gitlab.com/ee/ci/caching/#where-the-caches-are-stored)?
The message i get in the pipeline job:
```
Creating cache default...
.cac...I'm used to configure a cache in `gitlab-ci.org`, but maybe tpo isn't configured for [that](https://docs.gitlab.com/ee/ci/caching/#where-the-caches-are-stored)?
The message i get in the pipeline job:
```
Creating cache default...
.cache/pip: found 417 matching files and directories
No URL provided, cache will be not uploaded to shared cache server. Cache will be stored only locally.
```https://gitlab.torproject.org/tpo/tpa/gitlab/-/issues/46Gitlab should show text files in the browser2022-03-24T23:28:17ZGeorg KoppenGitlab should show text files in the browserRight now if I want to look at some .md or .txt file on Gitlab I need to
download and open it with an external application. However, that should
not be necessary. The browser should be sufficient for this task.Right now if I want to look at some .md or .txt file on Gitlab I need to
download and open it with an external application. However, that should
not be necessary. The browser should be sufficient for this task.