[service-announce] Temporary addition of unsigned tag permissions

Jeremy Stanley fungi at yuggoth.org
Tue Jan 25 19:39:03 UTC 2022

In the wake of yesterday's Gerrit 3.4 upgrade maintenance, we've
observed a regression in behavior where signed Git tags are being
misidentified as unsigned[*]. Since our ACLs normally disallow
pushing of unsigned (annotated) tags, the result is tag pushes being
rejected with a permissions error.

As an emergency measure, and in an attempt to not roll back our
Gerrit upgrade while working with their developers on a proper patch
so solve this, we have updated the ACLs for all projects with a
workaround so that they will be able to continue pushing tags.
Unfortunately, this workaround means that projects will temporarily
be able to push unsigned tags as well as signed ones, so we ask
anyone manually tagging their projects be extra careful to remember
to pass the -s option to git's tag subcommand.

Once we have a proper fix in place, the temporary addition of
unsigned tag permissions will be rolled back, and a follow-up
announcement sent to this mailing list.

[*] https://bugs.chromium.org/p/gerrit/issues/detail?id=15616
Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: not available
URL: <http://lists.opendev.org/pipermail/service-announce/attachments/20220125/e78840cf/attachment.sig>

More information about the service-announce mailing list