Hey,
I've been trying to get the CentOS SIG repositories enabled in the openSUSE Build Service[1].
Today, I started working with Adrian Schröter (who is CC'd to this email) on getting this done, and the issue right now is that there's no way to securely validate the repodata.
OBS supports two ways:
1. Validating repodata from a mirror using the copy on the master server fetched through HTTPS.
2. Validating repodata through GPG-signed repodata (signed repomd.xml)
While the base repositories do the latter, none of the repositories produced through CBS do, and _nothing_ currently does the former.
Is there something that can be done to make this better so we can have nice things?
Best regards, Neal
[1]: https://progress.opensuse.org/issues/29568
On 08/02/18 17:45, Neal Gompa wrote:
Hey,
I've been trying to get the CentOS SIG repositories enabled in the openSUSE Build Service[1].
Today, I started working with Adrian Schröter (who is CC'd to this email) on getting this done, and the issue right now is that there's no way to securely validate the repodata.
OBS supports two ways:
- Validating repodata from a mirror using the copy on the master
server fetched through HTTPS.
- Validating repodata through GPG-signed repodata (signed repomd.xml)
While the base repositories do the latter, none of the repositories produced through CBS do, and _nothing_ currently does the former.
Is there something that can be done to make this better so we can have nice things?
Best regards, Neal
As option [2] is already in place for base distro (but not all arches), maybe that's the way to do it for the other repositories (using different GPG keys too). @KB : is that something you can add in your script ?
On 02/12/2018 02:13 AM, Fabian Arrotin wrote:
On 08/02/18 17:45, Neal Gompa wrote:
Hey,
I've been trying to get the CentOS SIG repositories enabled in the openSUSE Build Service[1].
Today, I started working with Adrian Schröter (who is CC'd to this email) on getting this done, and the issue right now is that there's no way to securely validate the repodata.
OBS supports two ways:
- Validating repodata from a mirror using the copy on the master
server fetched through HTTPS.
- Validating repodata through GPG-signed repodata (signed repomd.xml)
While the base repositories do the latter, none of the repositories produced through CBS do, and _nothing_ currently does the former.
Is there something that can be done to make this better so we can have nice things?
Best regards, Neal
As option [2] is already in place for base distro (but not all arches), maybe that's the way to do it for the other repositories (using different GPG keys too). @KB : is that something you can add in your script ?
The signatures for repomd.txt.asc can either be done on the stand alone signing machines or as a gpg call if the rpms are signed by a gpg key on a local machine, etc.
I have sent KB the methods currently used to do this for x86_64, i386, and aarch64.
But, rather than building CentOS related things on OBS (which is fine if you want to do that, it is open source, so to each their own :D ) .. I think a better option might be (my own personal opinion, mind you) to have said 'nice things' become part of CentOS.org named space in a SIG and be built from git.centos.org and by the Community Build System for all users rather than have them go looking for those things outside the CentOS.org name space. Then everyone using CentOS has access to them where they already know to look.
On Mon, Feb 19, 2018 at 9:58 AM, Johnny Hughes johnny@centos.org wrote:
On 02/12/2018 02:13 AM, Fabian Arrotin wrote:
On 08/02/18 17:45, Neal Gompa wrote:
Hey,
I've been trying to get the CentOS SIG repositories enabled in the openSUSE Build Service[1].
Today, I started working with Adrian Schröter (who is CC'd to this email) on getting this done, and the issue right now is that there's no way to securely validate the repodata.
OBS supports two ways:
- Validating repodata from a mirror using the copy on the master
server fetched through HTTPS.
- Validating repodata through GPG-signed repodata (signed repomd.xml)
While the base repositories do the latter, none of the repositories produced through CBS do, and _nothing_ currently does the former.
Is there something that can be done to make this better so we can have nice things?
Best regards, Neal
As option [2] is already in place for base distro (but not all arches), maybe that's the way to do it for the other repositories (using different GPG keys too). @KB : is that something you can add in your script ?
The signatures for repomd.txt.asc can either be done on the stand alone signing machines or as a gpg call if the rpms are signed by a gpg key on a local machine, etc.
I have sent KB the methods currently used to do this for x86_64, i386, and aarch64.
But, rather than building CentOS related things on OBS (which is fine if you want to do that, it is open source, so to each their own :D ) .. I think a better option might be (my own personal opinion, mind you) to have said 'nice things' become part of CentOS.org named space in a SIG and be built from git.centos.org and by the Community Build System for all users rather than have them go looking for those things outside the CentOS.org name space. Then everyone using CentOS has access to them where they already know to look.
In this case, I'm trying to build packages for Fedora, CentOS/RHEL, openSUSE, Ubuntu, and Debian using the same sources (using the same spec file). OBS uniquely offers this capability. The CentOS CBS only supports building for CentOS.
I have considered offering things through CBS, but I don't know what's involved there...
-
Fabian Arrotin -
Johnny Hughes -
Neal Gompa