On Wednesday 09 August 2006 18:52, Michael Schwendt wrote: > > How does the Extras package signing process differ from Base/Updates? > > Only somebody who knows the Core signing-process can answer that. Core works like this. We have a database that holds a collection of packages. It knows where these packages live on the file system. When it comes to release time, I run a script that checks for a specific gpg sig on every package in the collection. If the signature isn't there, rpm sign it (prompting me for the passphrase). Once every package is signed with the right key, then I spin a tree for release. Updates work somewhat like Extras. A developer builds a package for an update, uses a web tool to request the package be released as an update (filling in things like why the update exists, what bugs it might fix, whether its for -testing or final updates, etc.. I get alerted that there is a pending update and I use a tool to move the package to the correct package collection, sign the package, toss it in a staging area for updates, and syncs out to the outside world, and sends email the developer created. VERY few people know the passphrase for the fedora-testing and fedora-final key. -- Jesse Keating Release Engineer: Fedora
Attachment:
pgpJ8DOrgcZEU.pgp
Description: PGP signature
-- fedora-extras-list mailing list fedora-extras-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-extras-list
