On 15 July 2017 at 12:36, Zbigniew Jędrzejewski-Szmek <zbyszek(a)in.waw.pl> wrote:
On Thu, Jul 13, 2017 at 11:55:52AM -0400, Randy Barlow wrote:
> On Thu, 2017-07-13 at 00:36 +0200, Kevin Kofler wrote:
> > Koji will take care of the signing for Flatpaks
> > built in Koji as it does for RPMs built in Koji.
So there is change really.
Before: developers sign tarball, packagers authenticate to Fedora, Fedora signs rpm
With flatpacks: developers sign tarball, packagers authenticate to Fedora, Fedora signs
Same amount of links of trust, same amount of signatures. No?
It depends on a couple of other steps that are dropped out. Currently
here is the level:
Developer releases source code.
Maybe they sign it or not.
Packager downloads source code.
Packager maybe checks signature of source code.
Packager authenticates to Fedora
Packager uploads source code
Packager updates/uploads spec file
Fedora builds source code into package using other signed/supported code.
Packager tests built package
Packager asks Fedora to sign package
Fedora signs package
Fedora puts package into testing
OS Testers download/test package
Fedora pushed package into release/updates
OS Users download/use package
Each of those steps has a specific trust chain to it. The part that
isn't clear with the FlatPack is that various people in these threads
have explained different chains of how FlatPacks are being delivered
to users. Those descriptions have gotten conflated multiple times by
both proponents and opponents to make it less clear how the entire
trust chain works.
Versions I have seen discussed as the Flatpack way.
1. Developer releases source code. Developer makes flatpack. Packager
uploads flatpack. Fedora signs it. Things test it. User gets it.
2. Developer releases source code. Developer signs source code.
Packager downloads and checks sig. Packager compiles flatpack.
Packager signs flatpack. Packager uploads to Fedora. Fedora checks and
signs it. Things test it. User gets it.
3. Dev releases source code. Dev signs source code. Pack downloads and
checks sig. Packager makes flatpack spec file. Packager uploads source
code and spec file to Fedora. Fedora builds flatpack. Fedora signs
flatpack. User gets it.
4. Developer releases source code. Someone makes a flatpack from
source code. Fedora tools point user to that flatpack whereever it is
and uses some sort of verification to 'trust it'.
Each of those has a different trust path and when people say "Oh they
are are the same" they may be talking about 1 single version but
because someone else was talking about another there is disagreement.
Can we list this clearly?
> Sigul is actually the system that signs the packages. They
> placed into a Koji tag when they need to be signed, and when Sigul is
> done signing them it moves them into a new Koji tag.
>  https://pagure.io/sigul
devel mailing list -- devel(a)lists.fedoraproject.org
To unsubscribe send an email to devel-leave(a)lists.fedoraproject.org
Stephen J Smoogen.