On 7/31/19 7:35 AM, Tomasz Torcz wrote: > On Wed, Jul 31, 2019 at 03:15:32PM +0100, Richard W.M. Jones wrote: >> On Tue, Jul 30, 2019 at 11:11:34AM -0700, Kevin Fenzi wrote: >>> In this case it's koji. >>> >>> For every package in the mass rebuild (f31-pending tag) robosign asks >>> koji "hey, is foobar-1.0.1-1.fc31 signed' ? koji checks... "yes, it is". >>> robosign: "great, then I ask you to write out the signed rpms now" >>> koji: "ok, writing them out to disk again" >>> >>> it's mostly this last step thats slow. I am not sure if koji is just >>> seeing if they were written out and returning, or actually re-writing >>> them out. It seems like it might be the latter, which makes me suspect >>> koji could optimize this somewhat. >> >> It's still taking a long time today to get builds through Koji and >> into Rawhide. Is there a reason we need to sign builds in Rawhide? > > Because administrator of Fedora infrastructure run rawhide on laptops, and we > don't want them to be easily* hackable. > > * or maybe not easily, but easier than users of regular releases Ha. No. It's for a variety of reasons: * Various groups that interact with the packages do not want to have to code in exceptions or treat some things differently. (QA, CI, package tools). * Signing packages is a clear way to indicate where they are from. (look at the 'keychecker' package. If you see a foo-1.0-1.fc29.x86_64.rpm package you can check it's signature and see that it came from rawhide or f29 or no where known, etc. * If you use metalinks, rpm signatures are just gravy on top, in the end you are still just trusing SSL CA's. * Making sure everything is signed in rawhide allows us to test/develop tooling that operates on composes instead of having to test those in stable release branches. There's likely other things too... kevin
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
