On Thu, 2007-12-20 at 05:39 +0100, Michael Schwendt wrote: > On Wed, 19 Dec 2007 14:55:51 -0500, Tom "spot" Callaway wrote: > > > > > On Wed, 2007-12-19 at 11:52 -0800, Bryan O'Sullivan wrote: > > > > > Is the package signing step done by hand? That's been my understanding, > > > but maybe I'm missing something. It reminds me of Sigourney Weaver's > > > role in "Galaxy Quest": a seemingly needless insertion of people into > > > the process. > > > > > > If so, why? Can we switch to an automated process? > > > > It is currently a manual process, and Jesse Keating has been working for > > some time to make an open source signing server that will work for > > Fedora's infrastructure needs but also be useful for anyone. > > A signing-server doesn't fix everything. It may help with the security > implications of giving away the key password as was done for Extras. But > hoping for much more frequent or automated pushes of non-critical updates > would be insane. Isn't testing what is supposed to implement the "delay queue", which is what you seem to be asking for. > Releasing new repodata and new packages too often would > make the repositories a moving target for all mirrors. The updates > repository is continuously flooded with version upgrades, which move > farther away from the tested gold release of the distribution only to > break due to new bugs, which then require further updates. At the same time Fedora+updates is suffering from bugs not receiving fixes in reasonable time. To put it bluntly: * As a packager, I feel strangled by current release practice. * As a user I am gradually feeling annoyed by seeing bugs not getting fixed. * If I were still a "low bandwidth user" I would quit Fedora now, because updates are being pushed in "big chunks" blocking internet access for hours once a week, instead of being fed with "small chunks" in shorteŕ intervals. Ralf -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list