On 3/20/19 2:09 PM, brektyme(a)brektyme.com wrote:
I haven't been keeping up with Koji development lately, but one of my
biggest pain points in the past when running my own koji system, is
key management and artifact signing. A big win IMHO would be some kind
of key broker and automated artifact signing.
Thanks, Josh
I feel your pain. I use Sigul and am not aware of any alternatives. In
my experience, none of that can be used out of the box with a modern
Fedora or EL7. I have had to enable Fedora's infra build repos to get
special versions of stuff to deal with gpgme. Even once it's up and
going, it's a major pain because I have to restart Sigul services nearly
daily from what appears to be a bug due to inactivity. Sites like RH or
Fedora probably never notice this because their build systems are so
much busier than a small site like what I administer. I'd gladly report
the bug and even offer to help fix it but if you look at the upstream
project page[0] for Sigul you can it resembles the minimum effort of
dumping code over the wall. Crude docs, no wiki, no issue tracker, etc.
Along those lines, I've sort of followed along with Koji development and
it looks like maybe it now has the ability to mash dist repos (or
whatever it is you'd call it when they're for regular consumption by
dnf/yum users), but I can't seem to find any sufficient docs on that and
don't have time to disrupt my own fragile solution short of having a
clear guide and definitive "yes it can do that!"
That all said, I love that Koji is seeing some developmental rhythm
nowadays and has what seems to be a more steady march of progress.
[0]
https://pagure.io/sigul
--
John Florian