areas where we can invest in automation?
Kevin Fenzi
kevin at scrye.com
Tue May 28 18:03:34 UTC 2013
On Tue, 28 May 2013 08:49:03 -0500
Bruno Wolff III <bruno at wolff.to> wrote:
> If we are willing to have packages being signed, just mean they were
> built with koji, we could have a tool that could doing the signing so
> that packages could move from pending to testing or updates without
> human intervention and with the same key being used for all koji
> (non-scratch) builds, hard links could be used to save space on the
> mirrors for packages that appear in multiple repos.
I looked into this earlier this year. There is a koji plugin to do
this, but it's very unacceptable to koji upstream. It also means we
need to keep signed packages for everything for all time, which is more
space on our end and finally it's a nasty security issue as the
password for the key has to be stored in the plugin that does this.
A possibly nicer idea would be moving to signed repodata. Then if you
see the correct sha512 or whatever in the signed repodata you know the
package is good. That does have downsides too tho, as you can't verify
things once they are obsolete or off line.
Its not an easy problem to solve...
kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.fedoraproject.org/pipermail/infrastructure/attachments/20130528/1908f953/attachment.sig>
More information about the infrastructure
mailing list