On Tue, 31 Mar 2015 10:55:38 +0200 Miroslav Suchý <msuchy@xxxxxxxxxx> wrote: > On 03/27/2015 01:49 PM, Kevin Fenzi wrote: > > * releng person gathers list of pending update requests from bodhi. > > (a few minutes) > > > > * releng person looks over list for anything out of the ordinary or > > off. (another few minutes) > > > > * releng person tells sigul to sign that list of packages and write > > out the signed ones in koji. The releng person talks to the sigul > > bridge and the sigul vault (which is not reachable via ssh) talks > > to the bridge. > > Few minutes, but manual minutes. IIRC rest of the process is > automatic. Do we really need human here? What can be extraordinary > here? Even if I have that security incident years ago in my mind, I > could not figure out why we need human reviewing list of packages to > sign. Well, fully automated processes are good at just doing what they are told, and humans are good (sometimes) at spotting patterns, so I could see a human catching something like an old obviously not current package being in the signing list, or some obvious bad version of a existing package. Shrug. We have been working on automated signing of rawhide, and this could replace the humans elsewhere too, but we would want to make sure it has checks and also lots and lots of reporting so humans can still see something wrong and stop it from doing something bad. kevin
Attachment:
pgpfcqVdLNY5i.pgp
Description: OpenPGP digital signature
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
