[Centos] CentOS Package Updates

Fri May 14 04:40:36 UTC 2004
Chris Sorisio <chrissorisio at peaktechnical.com>

Time is something I'm prepared to offer, though my black magic skills 
are limited.  I'll check to see if I can make CPU time available, but 
that brings up another questions: how do we establish trust?  What 
process is reasonable to verify that packages I build, for example, are 
trustworthy?  I have a handful of packages I'd be happy to send over 
this weekend (MySQL 4.0.18, etc) but how would the project prefer I sign 
them, what quality control steps do I need to verify first, etc?

I was also thinking of somthing automated, and while manual intervention 
still would be required, it would hopefully reduce the cycle time 
significantly.  Ideally, CentOS would have a system that would:

1.  Automatically detect when an update has been released (via parsing 
the announcement e-mail from Red Hat or something?)
2.  Download the SRPM.
3.  Build a first-pass RPM and notify the package maintainer when it is 
ready for review.
4.  Depending on the maintainer's review, the package is either:
        a. released (another scripted process which automates GPG 
signing and transferring the RPM to the appropriate repositories and 
sends out an e-mail to the list             about its availability after 
an appropriate time-lapse so that the mirrors have a chance to mirror it) or
        b. rejected, pending modifications and another build cycle.

This would at least take some of the load off the maintainer's shoulders 
and - hopefully - most updates would rebuild cleanly and not need 
modifications.  When we know in advance that package X needs mods Y, we 
could make the system aware of it.

All we need is someone talented enough to craft such a system. I can 
admit without too much shame that it's mostly beyond my abilities.  
Anyone volunteers out there? ;)

Lance Davis wrote:

>>What can the community do to help improve turn-around time on Redhat errata?
>Volunteers are always welcome :)
>The reason the kernel takes so long is that it just takes that long to 
>build and test.(likewise openoffice)
>If you have some decent hardware then it should be quicker ...
>As regards the other upodates it is a question of checking whether oatches 
>apply cleanly, removing trademarks where necessary and testing. 
>An automatic system is required, buyt at the end of the day manual 
>intervention will probably always be needed.