On 09/30/2014 03:24 PM, Joe Brockmeier wrote:
Hi all,
During last week's meeting I agreed to bring this up (sorry for the delay).
KB asked "do we care and how much, if at all, that the key used to sign the content is the real distro key?" (Because at the outset, it's going to be more difficult to use the distro key for Atomic host.)
IMO, we don't so long as we have a SIG key that is publicized. I don't see any reason it has to be the main CentOS / distro key.
Any objections/thoughts/comments?
I've been working out the backend mechanisms and infra that might be needed, this is also an open conversation / decision point with the board;
The safe assumption would be to assume a rpm-sign.sh proxy will come up, whats on the other end of that is still up in the air. But the sign process SHOULD block on that call; there might be some network request involved, am trying really hard for there not to be, but I dont think there is an easy way out, as yet.
I will have more details on the key itself in the next few days,