Am 20.03.2024 um 10:57:05 Uhr schrieb Adrian Schröter:
On Mittwoch, 20. März 2024, 10:24:14 CET Marco Moock wrote:
Am 20.03.2024 um 08:08:23 Uhr schrieb Adrian Schröter:
On Dienstag, 19. März 2024, 16:59:20 CET Marco Moock wrote:
Hello!
Today I tried to use OBS to build for Fedora 39 on Debian Unstable (there runs osc).
Verifying integrity of cached packages using keys from Fedora:39, OBS warning: /var/tmp/osbuild-packagecache/Fedora:39/standard/x86_64/alternatives-1.25-1.fc39.x86_64.rpm: Header V4 RSA/SHA256 Signature, key ID 18b8e74c: NOKEY
What is the proper way to add these keys? Should I use rpm --import? I have tried that with the key from https://fedoraproject.org/fedora.gpg, but osc doesn't seem to care.
What is the proper way to handle that?
You are using a chroot build environment. This is not safe against evil attackes, so you would need to trust these rpms via import.
Which key do I need to import. From where do I get it?
Usually from the distro. However, please note that this means that anyone from Fedora can modify your Debian system.
So the proper way is to use --vm-type?
Usually you do not want to grant this.
Of course not. I though that the builds will be done in a separated environment independent of my current operating system. Thanks for the clarification. -- Gruß Marco Send unsolicited bulk mail to 1710928625muell@cartoonies.org
On Mittwoch, 20. März 2024, 11:04:27 CET Marco Moock wrote:
Am 20.03.2024 um 10:57:05 Uhr schrieb Adrian Schröter:
On Mittwoch, 20. März 2024, 10:24:14 CET Marco Moock wrote:
Am 20.03.2024 um 08:08:23 Uhr schrieb Adrian Schröter:
On Dienstag, 19. März 2024, 16:59:20 CET Marco Moock wrote:
Hello!
Today I tried to use OBS to build for Fedora 39 on Debian Unstable (there runs osc).
Verifying integrity of cached packages using keys from Fedora:39, OBS warning: /var/tmp/osbuild-packagecache/Fedora:39/standard/x86_64/alternatives-1.25-1.fc39.x86_64.rpm: Header V4 RSA/SHA256 Signature, key ID 18b8e74c: NOKEY
What is the proper way to add these keys? Should I use rpm --import? I have tried that with the key from https://fedoraproject.org/fedora.gpg, but osc doesn't seem to care.
What is the proper way to handle that?
You are using a chroot build environment. This is not safe against evil attackes, so you would need to trust these rpms via import.
Which key do I need to import. From where do I get it?
Usually from the distro. However, please note that this means that anyone from Fedora can modify your Debian system.
So the proper way is to use --vm-type?
Usually you do not want to grant this.
Of course not. I though that the builds will be done in a separated environment independent of my current operating system.
it is, but being root in chroot is not really safe.
It is fine for most cases, esp. to protect against mistakes and bugs,
but it is not safe when someone tries to attack you on purpose.
Therefore osc insists to trust these binaries in the same way as
you do trust your operating system.
On the other side, people claim that it is not easy enough to work
with kvm builds. But give it a try... (there is "osc shell" to jump inside)
--
Adrian Schroeter
On Wed, Mar 20, 2024 at 11:58 AM Adrian Schröter
But give it a try... (there is "osc shell" to jump inside)
Speaking with tongue behind my cheek: Isn't that "osc shell" is exactly what you wanted to hide from everyone all these years? :-P -- Bo
On Mittwoch, 20. März 2024, 12:01:39 CET Bo Maryniuk wrote:
On Wed, Mar 20, 2024 at 11:58 AM Adrian Schröter
wrote: But give it a try... (there is "osc shell" to jump inside)
Speaking with tongue behind my cheek: Isn't that "osc shell" is exactly what you wanted to hide from everyone all these years? :-P
no, why?
I also wrote the code behind "osc shell" connecting to KVM..
--
Adrian Schroeter
participants (3)
-
Adrian Schröter
-
Bo Maryniuk
-
Marco Moock