Adding Seth to the CC list per Spot's recommendation.
Seth, what we are looking to do is find a clean way to handle secondary
arch packages (in this case ia64 but eventually sparc, s390, alpha and
arm as well) which are signed with a different key than the primary
arches.
What we want to do is add a new key for ia64 to the fedora-release
package and not break any existing stuff. We would like to avoid a
special fedora-release package that is specific to each secondary arch.
Do you have any suggestions from a yum point of view as to what would
work best here?
thanks,
- Doug
On Wed, 2008-05-21 at 17:10 -0400, Doug Chapman wrote:
Sorry if you get this twice, the fedora-secondary-list was bouncing
but
appears to be working now so sending again to be sure everyone gets
this.
I would like to start a discussion about devising a procedure for
handling rpm package signing for secondary arches. When we released the
F9 beta for ia64 we did not sign the packages however I feel we should
take care of this for F9 final (or at least have a good reason for not
doing it).
We should probably have a unique key for each arch. Generating a key
and signing the packages itself isn't a big deal (I assume, I need to
learn how to do this but I understand the concept). The problem is
making sure it works cleanly on the users end.
Currently the public key for the primary arches is saved in the
file /etc/pki/rpm-gpg/RPM-GPG-KEY and is part of the fedora-release
package. This is then hard coded into the yum configs.
So I have 3 rough ideas on how to handle this cleanly.
1: a special fedora-release package for each secondary arch that has the
appropriate keys (personally I don't like this idea but figured I would
mention it for discussion).
2: we move the keys from:
/etc/pki/rpm-gpg/RPM-GPG-KEY
to
/etc/pki/rpm-gpg/$basearch/RPM-GPG-KEY
of course this means replicating the keys for x86 and ppc (and the 64
bit variants) in multiple places (but I guess those could be symlinked)
still would be fairly clean.
3: we do something similar to #2 but instead of using $basearch in the
path we have a post install script for the fedora-release rpm which
copies the appropriate key into /etc/pki/rpm-gpg/RPM-GPG-KEY based on
the arch of the system. The nice thing about this is it doesn't require
any changes to the primary arches. The script would only copy files
over if on one of the secondary arches.
thoughts? I would like to get this resolved before long since it is one
of the final issues we want to fix before shipping F9 for ia64.
- Doug
_______________________________________________
fedora-secondary-list mailing list
fedora-secondary-list(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/fedora-secondary-list