Re: Rolling out Phase I of rawhide package gating

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 7/31/19 7:35 AM, Tomasz Torcz wrote:
> On Wed, Jul 31, 2019 at 03:15:32PM +0100, Richard W.M. Jones wrote:
>> On Tue, Jul 30, 2019 at 11:11:34AM -0700, Kevin Fenzi wrote:
>>> In this case it's koji.
>>>
>>> For every package in the mass rebuild (f31-pending tag) robosign asks
>>> koji "hey, is foobar-1.0.1-1.fc31 signed' ? koji checks... "yes, it is".
>>> robosign: "great, then I ask you to write out the signed rpms now"
>>> koji: "ok, writing them out to disk again"
>>>
>>> it's mostly this last step thats slow. I am not sure if koji is just
>>> seeing if they were written out and returning, or actually re-writing
>>> them out. It seems like it might be the latter, which makes me suspect
>>> koji could optimize this somewhat.
>>
>> It's still taking a long time today to get builds through Koji and
>> into Rawhide.  Is there a reason we need to sign builds in Rawhide?
> 
>   Because administrator of Fedora infrastructure run rawhide on laptops, and we
> don't want them to be easily* hackable.
> 
>   * or maybe not easily, but easier than users of regular releases

Ha. No.

It's for a variety of reasons:

* Various groups that interact with the packages do not want to have to
code in exceptions or treat some things differently. (QA, CI, package
tools).

* Signing packages is a clear way to indicate where they are from. (look
at the 'keychecker' package. If you see a foo-1.0-1.fc29.x86_64.rpm
package you can check it's signature and see that it came from rawhide
or f29 or no where known, etc.

* If you use metalinks, rpm signatures are just gravy on top, in the end
you are still just trusing SSL CA's.

* Making sure everything is signed in rawhide allows us to test/develop
tooling that operates on composes instead of having to test those in
stable release branches.

There's likely other things too...

kevin



Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux