Karanbir Singh wrote:
Change which part ? signing them or automating something ? The reason debuginfo's are not signed is that bringing them into a securebox for the signing process and pushing them out again easily triples the time factor.
Personally I would rather wait even longer if that meant signed packages. Of course it would not be an ideal solution, but I think the security risk of installing unsigned packages is much worse than the inconvenience of waiting.
Also this would only be a big problem at release time, for ordinary updates the delay should not be that bad.
At the moment, there are 2 internal and 1 external mirror for debuginfo
- that can be increased if required. I know that atleast mirrorservice
and kernel.org have previously said that they will make more space available to centos.org if we need it on their mirrors - and they are happy to host vhost's for debuginfo / beta's.
If disk space on mirrors is a problem you could separate the debuginfo into one directory per release, and move older ones to vault.centos.org.
Regards,
Pär Andersson National Supercomputer Centre, Sweden