-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 26/06/14 14:56, Thomas Oulevey wrote:
> Hi All,
>
> The initial idea is to configure Koji and make it available to the
> community.
>
> Thanks to Karanbir/Fabian we already got the hardware and
> installation is on going.
>
> But first, we would like to ask for feedback:
>
> 1/ PKI setup, a proposal: - koji-web use a certificate signed by an
> external CA (and obviously trusted) - the rest of the koji
> architecture (hub and kojid) will use a self-signed CA that we'll
> use to also generate other certs. The proposal is to gpg encrypt
> the CA within a non-public GIT repo. Talking with Fabian, he
> already use this method for other infrastructure project. - the
> clients (at the beginning git.c.o) will use self-signed CA.
>
> This need to be discussed in the light of future integration of
> different user facing tools (koji, git, etc...) and if we want to
> provide koji client accesses, as Fedora project does.
Well, I'll (obviously) agree with what we discussed previously. But
just keep in mind that normally we'll not have a bunch of clients cert
to generate, because the normal flow will go like this (if i'm not
wrong) :
SIGs -> git commit & push -> git.c.o -> hooks -> koji
So in that case, all builds will be triggered by Git, and so we don't
have to generate client certs for people submitting build jobs in the
queue .
That's also worth noting than when we say "community" that doesn't
mean that we open buildservice to the wide world (no OBS here :-) ),
just that SIGs will build packages on that Koji setup (in a automated way)
>
> 2/ Hostnames to use: - After a round on #centos-devel,
> cbs.centos.org was the best we can come up with. Comments ? - For
> the builders machine, we should decide on a decent naming as this
> info appears in RPM metadata. i.e : builder01.cbs.centos.org,
> builder02.cbs.centos.org, etc... Do we want to deal with different
> "architecture family" within the name (e.g ARM) ? i.e :
> x86-builder01.cbs.centos.org, arm-builder01.cbs.centos.org
>
> Your comments are very welcome!
>
> cheers,
I'm fine with the $arch in the fqdn (for logging purposes) so let's say :
builder01-x86.cbs.centos.org ? (or the reverse, as you proposed :
$arch-builder${num}.cbs.centos.org
Cheers,
- --
Fabian Arrotin
gpg key: 56BEC54E | twitter: @arrfab
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlOsHIIACgkQnVkHo1a+xU6wSgCdFABxKL9H9MoHAslghUDpeLSc
2bYAn0rYI+Cvd4whXw5tXxnV3SJxW5J4
=qSkJ
-----END PGP SIGNATURE-----