On Thu, Jun 6, 2024 at 9:42 AM Adam Samalik <asamalik@redhat.com> wrote:
>
> Hey everyone!
>
>
> The CentOS Stream 10 compose with 100% signed RPMs is now available!
>
>
> (links below)
>
>
> Please note the compose is still taking shape. Packages are still being added and even removed at this point. Not all packages are fully onboarded to gating, so just some updates are landing (more and more every day!). Packages are being moved between repositories. Comps groups are being updated... well you get the idea.
>
>
> But you can already contribute! Just please talk to the maintainers [1] first. Every team has their own plan and capacity to accommodate various levels of change.
>
>
> Oh and we don't have mirrors in place yet (coming soon though)! So I'm sending this just to the devel list. But the repo configuration (coming from the centos-stream-release package) points to the compose for now, so package installation and updates will work.
>
>
> Cheers!
>
> Adam
>
>
> PS: I know the compose URL says "production". That's the tooling doing this, it's a hardcoded word. But in reality it means "only signed packages from the pending tag" [2]. (It's actually c10s-compose: https://kojihub.stream.centos.org/koji/taginfo?tagID=1556 )
>
>
> There's also a "development" compose which means "unsigned packages from the candidate tag". (And this one is in fact c10s-compose-development: https://kojihub.stream.centos.org/koji/taginfo?tagID=3301 )
>
>
> As a reminder, the "candidate" tag represents builds that pass gating, but haven't gone through internal paperwork and "haven't properly landed" yet. They're also not in the buildroot. The "pending" means it went through all that.
>
>
> PPS: Compose tests are not passing yet! But they're running, and the system is installable (at least was for me when writing this!) and definitely usable for playing around with.
>
> Test results: https://testing.stream.centos.org/view/c10s%20-%20compose/
>
>
> PPPS: Yes, I know, the installer still has the old CentOS logo. But the Artwork SIG has it all ready, we just need to update the package: https://gitlab.com/CentOS/artwork/centos-brand/-/issues/2
>
>
> ---
>
>
> The links!
>
>
> The compose: https://composes.stream.centos.org/stream-10/production/latest-CentOS-Stream/
>
>
> Install ISOs:
>
> - aarch64: https://composes.stream.centos.org/stream-10/production/latest-CentOS-Stream/compose/BaseOS/aarch64/iso/
>
> - https://composes.stream.centos.org/stream-10/production/latest-CentOS-Stream/compose/BaseOS/x86_64/iso/
>
> - ... and other arches, it should be findable!
>
>
> Container images:
>
> - $ podman pull quay.io/centos/centos:stream10-development
>
> - https://quay.io/repository/centos/centos?tab=tags
>
>
>
>
> [1] Open a RHEL bug / issue: https://docs.centos.org/en-US/stream-contrib/quickstart/#_1_file_an_issue
>
> [2] Tag structure: https://docs.centos.org/en-US/stream-contrib/quickstart/#_release_engineering_pipelines_and_package_state
>
Do you know when compose repositories will have signed repository
metadata? I looked at the repository content and noticed that it
doesn't have repomd.xml.asc.
Composes in
https://composes.stream.centos.org/ never had signed metadata. It's only the mirrored content (where the metadata is slightly different, also including some previous versions of RPMs) that had the signatures.
Anyway, "never had" absolutely doesn't mean "shouldn't"! :D
Do you please mind opening a CS ticket in Jira? It shouldn't be hard to implement it for both c9s and c10s. I'm all for more integrity checks.
--
真実はいつも一つ!/ Always, there's only one truth!