FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Development

 
 
LinkBack Thread Tools
 
Old 04-15-2008, 04:14 AM
Jesse Keating
 
Default Rawhide issues

Some of you may have noticed some "issues" with rawhide today. Many
(most) the packages reverted to unsigned versions, and then at some
point today, the content went back in time to yesterday. This is
because of a timing issue with trying to sign all the packages for
Fedora 9 release. A small thinko led to a big churn that I tried to cut
off before it got too far. I think I've recovered most of the damage,
and I've prevented rawhide from being composed again until we're done
signing packages, which hopefully will be at some point tomorrow.

Just wanted to keep you all informed of what's going on. Cheers!

P.S. Preview Release is also pending these signatures. It will happen,
eventually (:

--
Jesse Keating
Fedora -- All my bits are free, are yours?
_______________________________________________
Fedora-devel-announce mailing list
Fedora-devel-announce@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-announce--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 04-15-2008, 08:18 AM
David Woodhouse
 
Default Rawhide issues

On Tue, 2008-04-15 at 00:14 -0400, Jesse Keating wrote:
> Some of you may have noticed some "issues" with rawhide today. Many
> (most) the packages reverted to unsigned versions, and then at some
> point today, the content went back in time to yesterday. This is
> because of a timing issue with trying to sign all the packages for
> Fedora 9 release. A small thinko led to a big churn that I tried to cut
> off before it got too far. I think I've recovered most of the damage,
> and I've prevented rawhide from being composed again until we're done
> signing packages, which hopefully will be at some point tomorrow.

Did mkinitrd-6.0.46 get into that set of packages?

And an anaconda with bug #438377 fixed?

--
dwmw2

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 04-15-2008, 09:36 AM
Richard Hughes
 
Default Rawhide issues

On Tue, 2008-04-15 at 00:14 -0400, Jesse Keating wrote:
> I've prevented rawhide from being composed again until we're done
> signing packages

Can't we just sign all rawhide packages in the future? Installing
unsigned rawhide rpms from dubious looking mirrors makes me feel dirty
inside. :-)

Richard.


--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 04-15-2008, 10:01 AM
Dave Airlie
 
Default Rawhide issues

On Tue, 2008-04-15 at 10:36 +0100, Richard Hughes wrote:
> On Tue, 2008-04-15 at 00:14 -0400, Jesse Keating wrote:
> > I've prevented rawhide from being composed again until we're done
> > signing packages
>
> Can't we just sign all rawhide packages in the future? Installing
> unsigned rawhide rpms from dubious looking mirrors makes me feel dirty
> inside. :-)

The problem with that is the delay waiting for someone authorised to
sign stuff to sign it, or waiting for the oft-mentioned signing-server..

I'd be happy to take signing powers to .au and we could have
follow-the-sun rawhide package signers :0

Dave.

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 04-15-2008, 10:39 AM
Alex Lancaster
 
Default Rawhide issues

>>>>> "DA" == Dave Airlie writes:

DA> On Tue, 2008-04-15 at 10:36 +0100, Richard Hughes wrote:
>> On Tue, 2008-04-15 at 00:14 -0400, Jesse Keating wrote:
> > I've prevented rawhide from being composed again until we're done
>> > signing packages
>>
>> Can't we just sign all rawhide packages in the future? Installing
>> unsigned rawhide rpms from dubious looking mirrors makes me feel
>> dirty inside. :-)

DA> The problem with that is the delay waiting for someone authorised
DA> to sign stuff to sign it, or waiting for the oft-mentioned
DA> signing-server..

DA> I'd be happy to take signing powers to .au and we could have
DA> follow-the-sun rawhide package signers :0

Yes! It would be great if such tasks could be spread out over
different timezones... (Ditto for buildroot tagging etc.)

A.

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 04-15-2008, 10:41 AM
Jesse Keating
 
Default Rawhide issues

On Tue, 2008-04-15 at 09:18 +0100, David Woodhouse wrote:
> Did mkinitrd-6.0.46 get into that set of packages?
>
> And an anaconda with bug #438377 fixed?

You can check for yourself with 'koji latest-pkg f9-final <package>'

$ koji latest-pkg f9-final mkinitrd
Build Tag Built by
---------------------------------------- --------------------
----------------
mkinitrd-6.0.47-1.fc9 f9-final katzj


--
Jesse Keating
Fedora -- All my bits are free, are yours?
--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 04-15-2008, 10:53 AM
Till Maas
 
Default Rawhide issues

On Tue April 15 2008, Richard Hughes wrote:
> On Tue, 2008-04-15 at 00:14 -0400, Jesse Keating wrote:
> > I've prevented rawhide from being composed again until we're done
> > signing packages
>
> Can't we just sign all rawhide packages in the future? Installing
> unsigned rawhide rpms from dubious looking mirrors makes me feel dirty
> inside. :-)

Afaik Sigul, an automated gpg signing system, needs to be finished / tested
before this will happen:
https://fedorahosted.org/sigul

Regards,
Till
--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 04-15-2008, 12:31 PM
seth vidal
 
Default Rawhide issues

On Tue, 2008-04-15 at 12:53 +0200, Till Maas wrote:
> On Tue April 15 2008, Richard Hughes wrote:
> > On Tue, 2008-04-15 at 00:14 -0400, Jesse Keating wrote:
> > > I've prevented rawhide from being composed again until we're done
> > > signing packages
> >
> > Can't we just sign all rawhide packages in the future? Installing
> > unsigned rawhide rpms from dubious looking mirrors makes me feel dirty
> > inside. :-)
>
> Afaik Sigul, an automated gpg signing system, needs to be finished / tested
> before this will happen:
> https://fedorahosted.org/sigul
>


How would people feel if we didn't sign pkgs at all? What if we made
repodata and only signed the repomd.xml? And we made the checksum for
the packages sha256 or sha512?

Then we'd have:
- signed repomd.xml
- verify primary metadata against signed repomd.xml
- verify package checksums against primary

How would people feel about that?

-sv


--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 04-15-2008, 12:44 PM
"Jeffrey Ollie"
 
Default Rawhide issues

On Tue, Apr 15, 2008 at 7:31 AM, seth vidal <skvidal@fedoraproject.org> wrote:
>
> How would people feel if we didn't sign pkgs at all? What if we made
> repodata and only signed the repomd.xml? And we made the checksum for
> the packages sha256 or sha512?
>
> Then we'd have:
> - signed repomd.xml
> - verify primary metadata against signed repomd.xml
> - verify package checksums against primary
>
> How would people feel about that?

The problem there is that this system breaks down if the packages get
disassociated from their "original" repository. For example, I've
thought about making a custom version of Fedora for work every now and
the - right now the only changes would be different logos and artwork
and maybe some defaults. Currenly, 99% of the packages in my version
of Fedora would have the Fedora signatures on them and the users of my
version of Fedora could trust that I hadn't changed them in some way
from what was in Fedora. If the signatures only lived in the repodata
my users wouldn't be able to check that because I would need to
regenerate the repodata and I woudn't be able to sign my repodata with
the same key that Fedora uses.

Jeff

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 04-15-2008, 12:45 PM
"Colin Walters"
 
Default Rawhide issues

On Tue, Apr 15, 2008 at 8:31 AM, seth vidal <skvidal@fedoraproject.org> wrote:
>
> How would people feel if we didn't sign pkgs at all? What if we made
> repodata and only signed the repomd.xml? And we made the checksum for
> the packages sha256 or sha512?
>
> Then we'd have:
> - signed repomd.xml
> - verify primary metadata against signed repomd.xml
> - verify package checksums against primary

I think this makes sense.

-- Colin, who long ago implemented essentially this scheme for apt-get

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 

Thread Tools




All times are GMT. The time now is 08:10 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org