On 15 July 2017 at 12:36, Zbigniew Jędrzejewski-Szmek <zbyszek@xxxxxxxxx> wrote: > On Thu, Jul 13, 2017 at 11:55:52AM -0400, Randy Barlow wrote: >> On Thu, 2017-07-13 at 00:36 +0200, Kevin Kofler wrote: >> > Koji will take care of the signing for Flatpaks >> > built in Koji as it does for RPMs built in Koji. > > So there is change really. > Before: developers sign tarball, packagers authenticate to Fedora, Fedora signs rpm > With flatpacks: developers sign tarball, packagers authenticate to Fedora, Fedora signs flatpack > > Same amount of links of trust, same amount of signatures. No? > It depends on a couple of other steps that are dropped out. Currently here is the level: Developer releases source code. Maybe they sign it or not. Packager downloads source code. Packager maybe checks signature of source code. Packager authenticates to Fedora Packager uploads source code Packager updates/uploads spec file Fedora builds source code into package using other signed/supported code. Packager tests built package Packager asks Fedora to sign package Fedora signs package Fedora puts package into testing OS Testers download/test package Fedora pushed package into release/updates OS Users download/use package Each of those steps has a specific trust chain to it. The part that isn't clear with the FlatPack is that various people in these threads have explained different chains of how FlatPacks are being delivered to users. Those descriptions have gotten conflated multiple times by both proponents and opponents to make it less clear how the entire trust chain works. Versions I have seen discussed as the Flatpack way. 1. Developer releases source code. Developer makes flatpack. Packager uploads flatpack. Fedora signs it. Things test it. User gets it. 2. Developer releases source code. Developer signs source code. Packager downloads and checks sig. Packager compiles flatpack. Packager signs flatpack. Packager uploads to Fedora. Fedora checks and signs it. Things test it. User gets it. 3. Dev releases source code. Dev signs source code. Pack downloads and checks sig. Packager makes flatpack spec file. Packager uploads source code and spec file to Fedora. Fedora builds flatpack. Fedora signs flatpack. User gets it. 4. Developer releases source code. Someone makes a flatpack from source code. Fedora tools point user to that flatpack whereever it is and uses some sort of verification to 'trust it'. 5. ... Each of those has a different trust path and when people say "Oh they are are the same" they may be talking about 1 single version but because someone else was talking about another there is disagreement. Can we list this clearly? >> Sigul[0] is actually the system that signs the packages. They are >> placed into a Koji tag when they need to be signed, and when Sigul is >> done signing them it moves them into a new Koji tag. >> >> [0] https://pagure.io/sigul > _______________________________________________ > devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx -- Stephen J Smoogen. _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
