On Tue, Dec 04, 2012 at 10:12:07AM +0100, Dominique Leuenberger a.k.a DimStar wrote:
Quoting Stephan Kulow <coolo@suse.de>:
On 04.12.2012 09:26, Michal Vyskocil wrote:
This actually sounds like to be put in the source validator or a similiar source service that runs on checkin. And that I can then call from factory-auto
I agree that ugly %suse version %preps are not worth the extra felt security - especially as we do no checks about the keyring whatsoever.
I do indeed prefer the 'automatic' approach as opposed to having all this info in the .spec files (similar to checkin services or brp-checks).
For 'reviews' of the entire thing, it would be mandatory for obs webui and osc to be able to 'show/decode' the information in the .keyring...
and ANY change on the .keyring file should trigger an immediate warning for the review team, to give an extra heads up that this might be an attempt to alter the security model.
Or, as the first suggestion was, have the .keyring in a collective package in Factory and 'allow' the .keyring to be used as an extension in devel projects / non-factory packages.
I would say having .keyring with a package, proposed by Ludwig, is better solution. It increases a flexibility and reduce the need of the special package for submission. I agree that a manual review is not the coolest approach ever, but that 1.) Can't be easily workarounded 2.) Needs to be done only for the first time - all other changes will be rare But it is a good idea to have something in a webui showing big-red-something during .keyring file change. Regards Michal Vyskocil