Plan of work for Copr signing

Paul W. Frields stickster at gmail.com
Thu May 22 18:47:19 UTC 2014 

On Thu, May 22, 2014 at 09:58:47AM +0200, Miroslav Suchý wrote:
> FYI - this is my schedule of work needed to sign packages in Copr:
> 
> Hardware:
> =========
> Next visit in PHX is planned on June/July. Next one is January of 2015.
> 
> Ideal (and most paranoid) setup would require one physical machine for
> Signing server and one for copr-backend and one wire between them. With no
> remote access to signing server.
> 
> But we have not HW for this.
> 
> What we can have is have signing machine in VM with restrictive SW defined
> network. If that VM can be only one VM on host, then it would be great.
> 
> To set up VM and networking and create ansible manifest, can take up to one week.
> 
> 
> Software:
> =========
> I would go the obs-sign way.
> It would require to get one patch into GPG2. Patch is made by SuSe, but does not live in upstream.
> TMraz (RH packager) preliminary approved this patch, but have few comments,
> which would need to be address (name of cmd option, no man page...). Then I
> will try to get it in upstream, but there is risc of rejecting. But TMraz is
> willing to accept it as patch into Fedora and RH package. This is backup
> plan. (1.5 week to work on patch, 1 w for communitation with upstream or
> tmraz)
> JStribrny promised to re-package obs-sign. (0.5w)
> We should enhance documentation of obs-sign and likely write HOWTO for deployment. (0.75w)
> We need to deploy and configure obs-sign on VM. (0.75w)
> Mutatis mutandis of Copr (1w).
> Sum it up (5.5 week)
> 
> Total = 6.5 weeks

Has there been any review of the package signing process by security
guys?  Since this is presumably different from the standard Fedora
package signing process, it might make sense to have someone advise,
if not done already.

-- 
Paul W. Frields                                http://paul.frields.org/
  gpg fingerprint: 3DA6 A0AC 6D58 FEC4 0233  5906 ACDB C937 BD11 3717
  http://redhat.com/   -  -  -  -   http://pfrields.fedorapeople.org/
    The open source story continues to grow: http://opensource.com

More information about the infrastructure mailing list