On Wed, Nov 25, 2009 at 08:56:06AM -0800, Jesse Keating wrote:
On Wed, 2009-11-25 at 07:54 -0500, Josh Boyer wrote:
> On the signing front alone, there are a couple things we could do with some
> additional bodhi/koji work. The first is to have koji auto-sign everything. I
> think that is the best solution, but it's also the farthest off and I would
> rather not wait for that. Another idea is to have bodhi put packages in a
> special tag when they are requested for push and remove them once the push is
> complete. E.g.
>
> User A submits package for F12 updates-testing push. Bodhi queues it up like
> normal, and does the equivalent of 'koji tag-pkg f12-updates-testing-push'.
> When the push is complete, it untags the packages from said tags.
>
> Then I could actually run the sigul script on the tag instead of relying on
> bodhi to get me a list of packages that need signing. It would increase the
> time I have for signing as well, since bodhi won't give me the list of packages
> queued while a push is going on.
We also need to get some mitr time to make sigul run multithreaded.
We're far far underutilizing the hardware we allocated for this system.
As to the above, why can't we just sign everything in the various
*-updates-candidate tags? You'll wind up signing more than what is
going to be pushed, but since you're doing it frequently it'll not
matter as much. Since we are using only one key for F11 and F12
updates, this would accomplish all the signing needed for those trees.
Aside from the time and koji storage, I see no real issues. I was going
to try that next week. I'll let you know how it goes.
josh