On Wed, 09 Mar 2016 21:10:14 -0000 "Christian Stadelmann" <genodeftest@xxxxxxxxxxxxxxxxx> wrote: > > On Ter, 2016-03-08 at 14:49 +0100, Jakub Jelen wrote: > > Meanwhile , can't we hack copr , with gpgcheck=0 in Fedora 24 > > repos. It will be much less stressful. > > Please don't. Having unchecked code shipped and installed is a risk > we don't need to take. How about signing every package instead, > including rawhide/F24 at split time? ok, one more time (I have lost count of how many times I have explained this, so perhaps I can just point to this mail from now. ;) When we branch a new release off, but before bodhi is enabled, ie, the two weeks between Branch Fedora 24 from Rawhide (Rawhide becomes future F25) and Bodhi activation point. There is no gating in the branched release, it composes via cron every night (just as rawhide always does). We have a process that autosigns things (hurray!) but without a gate, there is no way we can be 100% sure that all packages are signed in each nights compose. Lets take an example. Say the cron fires off at 5:15 UTC. The autosigner signs everything and we are 100% signed at 5:10 UTC. Then a texlive build finishes and is tagged into the repo. The autosigner starts signing it's 5000+ packages (including it's 1.xGB src.rpm that takes about 30min to sign). There's no way it can finish before the compose kicks off. So, the only way we can ensure this is to gate things. We have talked about doing that for rawhide in the past, but just haven't done it yet. I suppose once we do we could use the same setup for branched for these two weeks. Until then, sorry. kevin
Attachment:
pgpPowdTU5SS9.pgp
Description: OpenPGP digital signature
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx
