A proposal for Fedora updates
sergio at serjux.com
Tue Mar 31 22:53:05 UTC 2015
On Ter, 2015-03-31 at 16:11 -0600, Kevin Fenzi wrote:
> On Tue, 31 Mar 2015 10:55:38 +0200
> Miroslav Suchý <msuchy at redhat.com> wrote:
> > On 03/27/2015 01:49 PM, Kevin Fenzi wrote:
> > > * releng person gathers list of pending update requests from bodhi.
> > > (a few minutes)
> > >
> > > * releng person looks over list for anything out of the ordinary or
> > > off. (another few minutes)
> > >
> > > * releng person tells sigul to sign that list of packages and write
> > > out the signed ones in koji. The releng person talks to the sigul
> > > bridge and the sigul vault (which is not reachable via ssh) talks
> > > to the bridge.
> > Few minutes, but manual minutes. IIRC rest of the process is
> > automatic. Do we really need human here? What can be extraordinary
> > here? Even if I have that security incident years ago in my mind, I
> > could not figure out why we need human reviewing list of packages to
> > sign.
> Well, fully automated processes are good at just doing what they are
> told, and humans are good (sometimes) at spotting patterns, so I could
> see a human catching something like an old obviously not current
> package being in the signing list, or some obvious bad version of a
> existing package. Shrug.
> We have been working on automated signing of rawhide, and this could
> replace the humans elsewhere too,
I vote in automated updates-testing with one regularity of pushes (2
times a day for example)
> but we would want to make sure it has
> checks and also lots and lots of reporting so humans can still see
> something wrong and stop it from doing something bad.
> devel mailing list
> devel at lists.fedoraproject.org
> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Sérgio M. B.
More information about the devel