On 7/31/19 8:07 AM, Richard W.M. Jones wrote: > On Wed, Jul 31, 2019 at 10:22:36AM -0400, Stephen John Smoogen wrote: >> On Wed, 31 Jul 2019 at 10:16, Richard W.M. Jones <rjones@xxxxxxxxxx> wrote: >> >>> On Tue, Jul 30, 2019 at 11:11:34AM -0700, Kevin Fenzi wrote: >>>> In this case it's koji. >>>> >>>> For every package in the mass rebuild (f31-pending tag) robosign asks >>>> koji "hey, is foobar-1.0.1-1.fc31 signed' ? koji checks... "yes, it is". >>>> robosign: "great, then I ask you to write out the signed rpms now" >>>> koji: "ok, writing them out to disk again" >>>> >>>> it's mostly this last step thats slow. I am not sure if koji is just >>>> seeing if they were written out and returning, or actually re-writing >>>> them out. It seems like it might be the latter, which makes me suspect >>>> koji could optimize this somewhat. >>> >>> It's still taking a long time today to get builds through Koji and >>> into Rawhide. Is there a reason we need to sign builds in Rawhide? Can you define 'a long time'? Do you have an example build for me to look at? >> 1. Because everyone's rawhide.repo says they are signed >> 2. Everytime we get unsigned packages people start freaking out that some >> nation state is trying to take over their computer. >> 3. Because nation states do that and those packages will become F32/F33 at >> some point. > > Actually my question was wrong. Is there any reason we need to sign > builds while they are internal to Koji (ie. proving BuildRequires for > subsequent builds)? They could still be signed when they go out to > Rawhide. Packages are signed before CI runs on them. This is so the _exact_ thing we are going to be using/shipping/building against is the thing that we actually test. When you instead test something, then change it, you leave yourself open to issues with whatever changes you are doing. CI runs before they land in the buildroot as we want to not build against anything that was gated for whatever reason. kevin
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
