A proposal for Fedora updates
Kevin Fenzi
kevin at scrye.com
Tue Mar 31 22:11:28 UTC 2015
On Tue, 31 Mar 2015 10:55:38 +0200
Miroslav Suchý <msuchy at redhat.com> wrote:
> On 03/27/2015 01:49 PM, Kevin Fenzi wrote:
> > * releng person gathers list of pending update requests from bodhi.
> > (a few minutes)
> >
> > * releng person looks over list for anything out of the ordinary or
> > off. (another few minutes)
> >
> > * releng person tells sigul to sign that list of packages and write
> > out the signed ones in koji. The releng person talks to the sigul
> > bridge and the sigul vault (which is not reachable via ssh) talks
> > to the bridge.
>
> Few minutes, but manual minutes. IIRC rest of the process is
> automatic. Do we really need human here? What can be extraordinary
> here? Even if I have that security incident years ago in my mind, I
> could not figure out why we need human reviewing list of packages to
> sign.
Well, fully automated processes are good at just doing what they are
told, and humans are good (sometimes) at spotting patterns, so I could
see a human catching something like an old obviously not current
package being in the signing list, or some obvious bad version of a
existing package. Shrug.
We have been working on automated signing of rawhide, and this could
replace the humans elsewhere too, but we would want to make sure it has
checks and also lots and lots of reporting so humans can still see
something wrong and stop it from doing something bad.
kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20150331/68cc85b0/attachment.sig>
More information about the devel
mailing list