On Wed, May 05, 2021 at 03:21:31PM +0000, Davide Cavalca via CentOS-devel wrote:
> On Wed, 2021-05-05 at 13:59 +0200, Fabian Arrotin wrote:
> > I started to rsync/pull epel7/8 pkgs for x86_64,aarch64,ppc64le on a
> > temporary place and we can start testing importing pkgs.
> >
> > *but* it's where it needs probably a little bit of clarification :
> > while
> > initial request was to just have access to EPEL pkgs to satisfy
> > Requires: and/or BuildRequires: I'm wondering about a redistribution
> > policy (if any) for pkgs built on fedora infra and that SIGs would be
> > able to just redistribute if they tag such pkg in their own tag
> > (mostly
> > for -{testing,release}).
> >
> > Each pkg tag for -release would go out on mirror CDN, but signed with
> > SIG gpg key
>
> I can think of one downside of this: it would result in packages with
> the same ENVR, but different signatures and checksums. I know this
> would be a problem for FB (due to how some of our internal tooling
> works), but I'm not sure what other side effects it could bring. If we
> go down this path, would it be possible to *not* resign the packages,
> and just leave them signed with the EPEL key?
There is a koji import-sig call. So, in theory, the scripting could just
import the signatures from fedora koji and then cbs could write out
needed signed copies for whatever reason.
I think that will require downloading/calling fedora koji directly tho,
as the detached signatures are not in the download/repo, only on the
koji hub.
Should be possible from a technical side though I would think...
kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.centos.org/pipermail/centos-devel/attachments/20210505/93da0d88/attachment-0005.sig>