<html><body><div style="font-family: times new roman, new york, times, serif; font-size: 12pt; color: #000000"><div>Hi all,</div><div><br></div><div>just be careful with the self signed certs to use at least SHA256, not MD5, since openssl in Red Hat 7 does not support MD5 any more.</div><div>For example if you want to run RHEL7/Centos7 as koji builder, you will have a problem with MD5 certs. I had the same problem with an existing koji and RHEL7 builders. :)</div><div><br></div><div>Cheers,</div><div>Peter Bojtos</div><div>ULX Ltd.</div><div><br></div><hr id="zwchr"><blockquote style="border-left:2px solid #1010FF;margin-left:5px;padding-left:5px;color:#000;font-weight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt;"><b>Feladó: </b>"Thomas Oulevey" <thomas.oulevey@cern.ch><br><b>Címzett: </b>centos-devel@centos.org<br><b>Elküldött üzenetek: </b>Csütörtök, 2014. Június 26. 14:56:52<br><b>Tárgy: </b>[CentOS-devel] Community build system<br><div><br></div>-----BEGIN PGP SIGNED MESSAGE-----<br>Hash: SHA1<br><div><br></div>Hi All,<br><div><br></div>The initial idea is to configure Koji and make it available to the<br>community.<br><div><br></div>Thanks to Karanbir/Fabian we already got the hardware and installation<br>is on going.<br><div><br></div>But first, we would like to ask for feedback:<br><div><br></div>1/ PKI setup, a proposal:<br>- - koji-web use a certificate signed by an external CA (and obviously<br>trusted)<br>- - the rest of the koji architecture (hub and kojid) will use a<br>self-signed CA that we'll use to also generate other certs. The<br>proposal is to gpg encrypt the CA within a non-public GIT repo.<br>Talking with Fabian, he already use this method for other<br>infrastructure project.<br>- - the clients (at the beginning git.c.o) will use self-signed CA.<br><div><br></div>This need to be discussed in the light of future integration of<br>different user facing tools (koji, git, etc...) and if we want to<br>provide koji client accesses, as Fedora project does.<br><div><br></div>2/ Hostnames to use:<br>- - After a round on #centos-devel, cbs.centos.org was the best we can<br>come up with. Comments ?<br>- - For the builders machine, we should decide on a decent naming as<br>this info appears in RPM metadata.<br>i.e : builder01.cbs.centos.org, builder02.cbs.centos.org, etc...<br>Do we want to deal with different "architecture family" within the<br>name (e.g ARM) ?<br>i.e : x86-builder01.cbs.centos.org, arm-builder01.cbs.centos.org<br><div><br></div>Your comments are very welcome!<br><div><br></div>cheers,<br>- -- <br>Thomas 'alphacc' Oulevey<br>-----BEGIN PGP SIGNATURE-----<br>Version: GnuPG v2.0.14 (GNU/Linux)<br>Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/<br><div><br></div>iQEcBAEBAgAGBQJTrBiUAAoJEH2Wn86OP8Ni5xYH/jYyRN+gr6r8v8zih/yF7fOi<br>INws9FC9+U+kP1r9Wsfg6Ge92uQJdX7t5G6Oom89ZcHoshVY685Cv647Es5ySkMP<br>ls5NBXQu92l5QcXFOSP6gcThOyd7bO7Kh5onziULmIkdDWkEdz12kBPI2bVPQqwI<br>JrZVTwvHSEN+5sVBccMKGYmiqFhs/qt12i/EaK2bvWCs/CRcrjyKJiHhlej3Zo+7<br>nSo8pwFCsq2T08FWfvnWYfjzFs8RmpFclBGakYRRyKk74TV63jKExqAL1zJGhaSF<br>yZxYt8XZeXrv5fdxXtKzA0WL8rf3tKN0rRC/mMcQUo28OaN53Wxuzw/YCRnN0po=<br>=2Hqy<br>-----END PGP SIGNATURE-----<br>_______________________________________________<br>CentOS-devel mailing list<br>CentOS-devel@centos.org<br>http://lists.centos.org/mailman/listinfo/centos-devel</blockquote></div></body></html>