On Wed, 2021-05-05 at 13:59 +0200, Fabian Arrotin wrote:
> I started to rsync/pull epel7/8 pkgs for x86_64,aarch64,ppc64le on a
> temporary place and we can start testing importing pkgs.
>
> *but* it's where it needs probably a little bit of clarification :
> while
> initial request was to just have access to EPEL pkgs to satisfy
> Requires: and/or BuildRequires: I'm wondering about a redistribution
> policy (if any) for pkgs built on fedora infra and that SIGs would be
> able to just redistribute if they tag such pkg in their own tag
> (mostly
> for -{testing,release}).
>
> Each pkg tag for -release would go out on mirror CDN, but signed with
> SIG gpg key
I can think of one downside of this: it would result in packages with
the same ENVR, but different signatures and checksums. I know this
would be a problem for FB (due to how some of our internal tooling
works), but I'm not sure what other side effects it could bring. If we
go down this path, would it be possible to *not* resign the packages,
and just leave them signed with the EPEL key?
Cheers
Davide