Sanity of the key vault as i understand it  as its air-gapped  (the no ssh part)


Corey W Sheldon
Freelance IT Consultant, Multi-Discipline Tutor
(p) 310.909.7672

Tutoring in person or via any of the following platforms:

{PayPal,Google Wallet/Play store, Apple Pay}
---------------------------------------------------------------------------------------------------
pub  3072D/718BF597 2014-12-08 
      Key fingerprint = 2930 99EB 083D D332 0752 88C4 E958 C5D6 718B F597
uid     Corey Sheldon (Fedora Key) <sheldon.corey@gmail.com>
---------------------------------------------------------------------------------------------------

On Tue, Mar 31, 2015 at 4:55 AM, Miroslav Suchý <msuchy@redhat.com> wrote:
On 03/27/2015 01:49 PM, Kevin Fenzi wrote:
> * releng person gathers list of pending update requests from bodhi.
>   (a few minutes)
>
> * releng person looks over list for anything out of the ordinary or
>   off. (another few minutes)
>
> * releng person tells sigul to sign that list of packages and write out
>   the signed ones in koji. The releng person talks to the sigul bridge
>   and the sigul vault (which is not reachable via ssh) talks to the
>   bridge.

Few minutes, but manual minutes. IIRC rest of the process is automatic.
Do we really need human here? What can be extraordinary here? Even if I have that security incident years ago in my
mind, I could not figure out why we need human reviewing list of packages to sign.

--
Miroslav Suchy, RHCE, RHCDS
Red Hat, Senior Software Engineer, #brno, #devexp, #fedora-buildsys
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct