On Wed, May 05, 2021 at 03:21:31PM +0000, Davide Cavalca via CentOS-devel wrote:
On Wed, 2021-05-05 at 13:59 +0200, Fabian Arrotin wrote:
I started to rsync/pull epel7/8 pkgs for x86_64,aarch64,ppc64le on a temporary place and we can start testing importing pkgs.
*but* it's where it needs probably a little bit of clarification : while initial request was to just have access to EPEL pkgs to satisfy Requires: and/or BuildRequires: I'm wondering about a redistribution policy (if any) for pkgs built on fedora infra and that SIGs would be able to just redistribute if they tag such pkg in their own tag (mostly for -{testing,release}).
Each pkg tag for -release would go out on mirror CDN, but signed with SIG gpg key
I can think of one downside of this: it would result in packages with the same ENVR, but different signatures and checksums. I know this would be a problem for FB (due to how some of our internal tooling works), but I'm not sure what other side effects it could bring. If we go down this path, would it be possible to *not* resign the packages, and just leave them signed with the EPEL key?
There is a koji import-sig call. So, in theory, the scripting could just import the signatures from fedora koji and then cbs could write out needed signed copies for whatever reason.
I think that will require downloading/calling fedora koji directly tho, as the detached signatures are not in the download/repo, only on the koji hub.
Should be possible from a technical side though I would think...
kevin