#2663 Start signing repodata
Closed: Insufficient data 2 years ago by defolos. Opened 2 years ago by dmach.

DNF supports signed repodata for a while, but Fedora doesn't produce them.
I'd like to get the signatures created and distributed, not necessarily enabled repo_gpgcheck=1 by default.

Do you have any idea who to contact to make this happen?
I could file a Change, but I wouldn't be able to deliver the work
as it probably requires some tooling and infra changes.


@dmach The work can be tracked in releng tracker (https://pagure.io/releng) but I wonder if it requires a FESCo approval as a change request?

@kevin and I have to work on it together.

From @kevin

<nirik>     I think https://pagure.io/pungi/issue/506 needs finished, but sounds like there's a plan that depends on https://pagure.io/robosignatory/pull-request/51 so, just needs that merged and released and then pungi code built to use it.

It would probably require a Change to enable it in Fedora by default, but generating the signed repositories should be able to happen at any time.

cc: @demiobenour

So, as noted above, this needs work from robosignatory maintainers, then work from pungi maintainers, then some releng work to enable things.

I guess the biggest unknown is availability of pungi developers to work on this.

IMHO, this should be like any other change... some folks driving it/coordinating and making sure everyone is on board, then making a change and discussing it on devel list and then finally fesco approving...

I'd be happy to help, although I am not sure how much time I will have to devote to it.

So, as noted above, this needs work from robosignatory maintainers, then work from pungi maintainers, then some releng work to enable things.

Does https://pagure.io/robosignatory/pull-request/51 help with this?

I guess the biggest unknown is availability of pungi developers to work on this.

I may be able to work on this, although I am no expert on Pungi.

IMHO, this should be like any other change... some folks driving it/coordinating and making sure everyone is on board, then making a change and discussing it on devel list and then finally fesco approving...

I can guarentee that Qubes OS will enable repo_gpgcheck=1 as soon as Fedora starts signing the repodata, whether or not it is enabled by default in Fedora.

Metadata Update from @defolos:
- Issue tagged with: meeting

2 years ago

@dmach We will discuss this during tomorrow's FESCo meeting, you're cordially invited to join.

@dmach We have discussed this today during the meeting and the proposal sound reasonable. The agreement is that the interested parties should coordinate on this, get the necessary infrastructure in place and then submit this as a change proposal.

Metadata Update from @defolos:
- Issue close_status updated to: Insufficient data
- Issue status updated to: Closed (was: Open)

2 years ago

Login to comment on this ticket.

Metadata