[CentOS-devel] Making EPEL available in CBS for SIG builds

Fri May 7 07:37:17 UTC 2021
Alfredo Moralejo Alonso <amoralej at redhat.com>

On Fri, May 7, 2021 at 8:07 AM Fabian Arrotin <arrfab at centos.org> wrote:

> On 05/05/2021 17:21, Davide Cavalca via CentOS-devel wrote:
> > On Wed, 2021-05-05 at 13:59 +0200, Fabian Arrotin wrote:
> >> I started to rsync/pull epel7/8 pkgs for x86_64,aarch64,ppc64le on a
> >> temporary place and we can start testing importing pkgs.
> >>
> >> *but* it's where it needs probably a little bit of clarification :
> >> while
> >> initial request was to just have access to EPEL pkgs to satisfy
> >> Requires: and/or BuildRequires: I'm wondering about a redistribution
> >> policy (if any) for pkgs built on fedora infra and that SIGs would be
> >> able to just redistribute if they tag such pkg in their own tag
> >> (mostly
> >> for -{testing,release}).
> >>
> >> Each pkg tag for -release would go out on mirror CDN, but signed with
> >> SIG gpg key
> >
> > I can think of one downside of this: it would result in packages with
> > the same ENVR, but different signatures and checksums. I know this
> > would be a problem for FB (due to how some of our internal tooling
> > works), but I'm not sure what other side effects it could bring. If we
> > go down this path, would it be possible to *not* resign the packages,
> > and just leave them signed with the EPEL key?
> >
> Well, pulling/rsync EPEL signed pkgs and import in cbs is "easy" but
> yeah, the current signing pipeline would just (as it was designed for
> that particular case) sign pkgs in a tags with the SIG gpg key, and not
> have "exceptions"
> So if that's considered an issue to have epel pkgs signed again with SIG
> gpg key in *their* repositories, we should revisit the original RFE.
> The other solution is then : use EPEL as external repo in koji so that
> pkgs depending on (Build)Requires: at build time would find pkgs and so
> build .. but that would mean :
> - such SIG would probably have a dep on epel-release if other EPEL pkgs
> are needed at runtime (probably the case if it was needed also at
> buildtime)
> - no way for SIG to stick to a particular ENVR (and if they want to, -
> thinking about RDO/openstack cloud sig- they'd probably rebuild epel
> pkgs in their tags, like they are doing for some years now ...)
>From RDO/CloudSIG perspective, the workflow of getting EPEL imported in CBS
and tagging the required builds on the SIG tags would work fine if
resigning and redistribution is not a problem.

> So we have two solutions and the easiest/fastest one is probably just to
> import pkgs in koji and SIG can just tag-build what they want/need
> (including cherry-picking ENVR) but with the downside effect of pkg
> signed with a different gpg key (and so my original question to Fedora :
> is that allowed  ?)
> --
> Fabian Arrotin
> The CentOS Project | https://www.centos.org
> gpg key: 17F3B7A1 | twitter: @arrfab
> _______________________________________________
> CentOS-devel mailing list
> CentOS-devel at centos.org
> https://lists.centos.org/mailman/listinfo/centos-devel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/centos-devel/attachments/20210507/561a89d1/attachment-0003.html>