On Mon, Feb 19, 2018 at 9:58 AM, Johnny Hughes <johnny at centos.org> wrote: > On 02/12/2018 02:13 AM, Fabian Arrotin wrote: >> On 08/02/18 17:45, Neal Gompa wrote: >>> Hey, >>> >>> I've been trying to get the CentOS SIG repositories enabled in the >>> openSUSE Build Service[1]. >>> >>> Today, I started working with Adrian Schröter (who is CC'd to this >>> email) on getting this done, and the issue right now is that there's >>> no way to securely validate the repodata. >>> >>> OBS supports two ways: >>> >>> 1. Validating repodata from a mirror using the copy on the master >>> server fetched through HTTPS. >>> >>> 2. Validating repodata through GPG-signed repodata (signed repomd.xml) >>> >>> While the base repositories do the latter, none of the repositories >>> produced through CBS do, and _nothing_ currently does the former. >>> >>> Is there something that can be done to make this better so we can have >>> nice things? >>> >>> Best regards, >>> Neal >>> >>> [1]: https://progress.opensuse.org/issues/29568 >>> >> >> As option [2] is already in place for base distro (but not all arches), >> maybe that's the way to do it for the other repositories (using >> different GPG keys too). >> @KB : is that something you can add in your script ? > > The signatures for repomd.txt.asc can either be done on the stand alone > signing machines or as a gpg call if the rpms are signed by a gpg key on > a local machine, etc. > > I have sent KB the methods currently used to do this for x86_64, i386, > and aarch64. > > But, rather than building CentOS related things on OBS (which is fine if > you want to do that, it is open source, so to each their own :D ) .. I > think a better option might be (my own personal opinion, mind you) to > have said 'nice things' become part of CentOS.org named space in a SIG > and be built from git.centos.org and by the Community Build System for > all users rather than have them go looking for those things outside the > CentOS.org name space. Then everyone using CentOS has access to them > where they already know to look. > In this case, I'm trying to build packages for Fedora, CentOS/RHEL, openSUSE, Ubuntu, and Debian using the same sources (using the same spec file). OBS uniquely offers this capability. The CentOS CBS only supports building for CentOS. I have considered offering things through CBS, but I don't know what's involved there... -- 真実はいつも一つ!/ Always, there's only one truth!