Plan of work for Copr signing

Kevin Fenzi kevin at scrye.com
Fri May 23 15:45:46 UTC 2014 

On Thu, 22 May 2014 09:58:47 +0200
Miroslav Suchý <msuchy at redhat.com> wrote:

> FYI - this is my schedule of work needed to sign packages in Copr:

...snip...

> But we have not HW for this.
> 
> What we can have is have signing machine in VM with restrictive SW
> defined network. If that VM can be only one VM on host, then it would
> be great.

If that was the case, then we would have dedicated hardware for it? 
:) 
We should be able to put this vm on a vmhost in the cloud network, but
not in the cloud and restrict it pretty heavily. 

> To set up VM and networking and create ansible manifest, can take up
> to one week.
>
> Software:
> =========
> I would go the obs-sign way.
> It would require to get one patch into GPG2. Patch is made by SuSe,
> but does not live in upstream. TMraz (RH packager) preliminary
> approved this patch, but have few comments, which would need to be
> address (name of cmd option, no man page...). Then I will try to get
> it in upstream, but there is risc of rejecting. But TMraz is willing
> to accept it as patch into Fedora and RH package. This is backup
> plan. (1.5 week to work on patch, 1 w for communitation with upstream
> or tmraz) JStribrny promised to re-package obs-sign. (0.5w) We should
> enhance documentation of obs-sign and likely write HOWTO for
> deployment. (0.75w) We need to deploy and configure obs-sign on VM.
> (0.75w) Mutatis mutandis of Copr (1w). Sum it up (5.5 week)
> 
> Total = 6.5 weeks

Some questions: 

Is it intended that signing keys are: 

* 1 set for all copr
or
* a key per user
or
* a key per copr

When are things intended to be signed? At the end of successfull build?
Or when someone requests that? Or when they are added to something like
the playground repo?

If signing fails, will that fail the build?

Can obs-signd handle multiple incoming connections? Or can it only sign
one thing at a time? Would things block waiting to sign?

kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.fedoraproject.org/pipermail/infrastructure/attachments/20140523/04fb7f8b/attachment.sig>

More information about the infrastructure mailing list