[Bugs] [Bug 1727727] Build+Packaging Automation

bugzilla at redhat.com bugzilla at redhat.com
Thu Aug 22 13:25:49 UTC 2019


https://bugzilla.redhat.com/show_bug.cgi?id=1727727



--- Comment #17 from Kaleb KEITHLEY <kkeithle at redhat.com> ---
(In reply to M. Scherer from comment #15)
> I did push the installation and I would like to defer the gnupg integration
> for now, as it likely requires a bit more discussion (like, how do we
> distribute the keys, etc, do we rotate it).
> 
> And for the pbuilder cache, I would need to know the exact matrix of
> distribution we want to build and how. That part seems not too hard:
> https://wiki.debian.org/
> PbuilderTricks#How_to_build_for_different_distributions
> 
> And if we aim to build on unstable, we also may need to do some work to keep
> the chroot updated (same for stable in fact).

The keys that we've been using were generated on an internal machine and
distributed to the build machines, which are all internal as well. 

We were using a new, different key for every major version through 4.1, but
some people complained about that, so for 5.x, 6.x, and now 7.x we have been
using the same key. As 4.1 is about to reach EOL that essentially means we are
only using a single key now for all the packages we build.

AFAIK people expect the packages to be signed. And best practices suggests to
me that they _must_ be signed.

Given that 7.0rc0 is now out and packages will be signed with the current key,
that suggests to me that we must keep using that key for the life of 7.x. We
can certainly create a new key for 8.x, when that rolls around.

And yes, we need a secure way to get the private key onto the jenkins build
machines somehow.

-- 
You are receiving this mail because:
You are on the CC list for the bug.


More information about the Bugs mailing list