On Thu, 2007-12-20 at 05:39 +0100, Michael Schwendt wrote:
On Wed, 19 Dec 2007 14:55:51 -0500, Tom "spot" Callaway wrote:
On Wed, 2007-12-19 at 11:52 -0800, Bryan O'Sullivan wrote:
Is the package signing step done by hand? That's been my understanding, but maybe I'm missing something. It reminds me of Sigourney Weaver's role in "Galaxy Quest": a seemingly needless insertion of people into the process.
If so, why? Can we switch to an automated process?
It is currently a manual process, and Jesse Keating has been working for some time to make an open source signing server that will work for Fedora's infrastructure needs but also be useful for anyone.
A signing-server doesn't fix everything. It may help with the security implications of giving away the key password as was done for Extras. But hoping for much more frequent or automated pushes of non-critical updates would be insane.
Isn't testing what is supposed to implement the "delay queue", which is what you seem to be asking for.
Releasing new repodata and new packages too often would make the repositories a moving target for all mirrors. The updates repository is continuously flooded with version upgrades, which move farther away from the tested gold release of the distribution only to break due to new bugs, which then require further updates.
At the same time Fedora+updates is suffering from bugs not receiving fixes in reasonable time.
To put it bluntly: * As a packager, I feel strangled by current release practice. * As a user I am gradually feeling annoyed by seeing bugs not getting fixed. * If I were still a "low bandwidth user" I would quit Fedora now, because updates are being pushed in "big chunks" blocking internet access for hours once a week, instead of being fed with "small chunks" in shorteŕ intervals.
Ralf