jwboyer at gmail.com
Thu Feb 5 16:09:48 UTC 2009
On Thu, Feb 05, 2009 at 07:31:09AM -0800, Jesse Keating wrote:
>On Thu, 2009-02-05 at 08:33 -0500, Josh Boyer wrote:
>> So, what's needed to really get sigul up and running?
>> mitr has the code in what appears to be pretty good shape. I
>> can certainly install it a bit and play around with it here on
>> some KVM guests locally, but that isn't going to further us
>> very much other than getting some more testing.
>> I know everyone is busy so if there are things I can do to help
>> this progress, just let me know. I should have access to most
>> of the rel-eng and infrastructure machines, but I think we
>> might have some special requirements here for machines and I'm
>> not entirely sure what those are.
>We'll need a couple test guests from infra to deploy sigul. Mitr and I
>had talked a bit about making it work on el5, not sure if that has been
>done or if our guests need to be a Fedora flavor. Then we need to get
Author: Miloslav Trmač <mitr at redhat.com>
Date: Sun Jan 11 23:50:54 2009 +0100
Modify to run on RHEL5.
So I guess so.
>the hub and signer setup and hooked into FAS. Then we need to generate
>a test key. This is where things get sticky. For F11 we want a bigger
>dsa key so that we can sign with a big enough bit size. Unfortunately
>koji is not ready to accept such keys and we have to wait for a new koji
>roll out (coming soon). In the meantime we can generate some test keys
>of smaller size, to match those we're using in f9/f10 (I'm not quite
>comfortable giving out the f9/f10 keys on the test systems just yet) so
>that we can test signing/importing/writing out with koji.
Test keys are fine for now. It's getting stuff setup to play with that
is the important part I guess.
>Once those pathways are smooth, then its just a matter of getting more
>permanent resources in place. There is another hardware key holder I
>want to look at, to use in conjunction with sigul to improve our key
>security but that may not be necessary or timely.
What happened with the original card thing you ordered that used a pin?
Anyway, that should be able to get phased in later, yes?
>If you wanted to drive some of this, I'd really appreciate it, as it
>would free me up to keep pounding on the automated QA work that I've
>been making promises about.
So from an infrastructure point of view, do we simply want to start
testing it out with a single guest running everything? When I talked
to Mitr about it this morning, that is how he had been testing. Or
would you rather get 2 guests in place, one for the server and one for
More information about the rel-eng