A proposal for Fedora updates

Sérgio Basto sergio at serjux.com
Tue Mar 31 22:53:05 UTC 2015


On Ter, 2015-03-31 at 16:11 -0600, Kevin Fenzi wrote:
> On Tue, 31 Mar 2015 10:55:38 +0200
> Miroslav Suchý <msuchy at redhat.com> wrote:
> 
> > On 03/27/2015 01:49 PM, Kevin Fenzi wrote:
> > > * releng person gathers list of pending update requests from bodhi.
> > >   (a few minutes)
> > > 
> > > * releng person looks over list for anything out of the ordinary or
> > >   off. (another few minutes)
> > > 
> > > * releng person tells sigul to sign that list of packages and write
> > > out the signed ones in koji. The releng person talks to the sigul
> > > bridge and the sigul vault (which is not reachable via ssh) talks
> > > to the bridge.
> > 
> > Few minutes, but manual minutes. IIRC rest of the process is
> > automatic. Do we really need human here? What can be extraordinary
> > here? Even if I have that security incident years ago in my mind, I
> > could not figure out why we need human reviewing list of packages to
> > sign.
> 
> Well, fully automated processes are good at just doing what they are
> told, and humans are good (sometimes) at spotting patterns, so I could
> see a human catching something like an old obviously not current
> package being in the signing list, or some obvious bad version of a
> existing package. Shrug. 
> 
> We have been working on automated signing of rawhide, and this could
> replace the humans elsewhere too, 

I vote in automated updates-testing with one regularity of pushes (2
times a day for example)  

> but we would want to make sure it has
> checks and also lots and lots of reporting so humans can still see
> something wrong and stop it from doing something bad. 
> 
> kevin
> 
> 
> -- 
> devel mailing list
> devel at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/devel
> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

-- 
Sérgio M. B.



More information about the devel mailing list