Am 27. August 2016 11:52:25 MESZ, schrieb Dominique Leuenberger / DimStar <dimstar@opensuse.org>:
On Fri, 2016-08-26 at 21:54 +0200, Axel Braun wrote:
Regardless of the tarball source (upload from a developer or download by OBS via _service file), I think, that the tarballs should be verified with GPG keys or SHA checksums. This verification is enabled in some Factory packages, but not in all.
That makes perfectly sense.
Not all upstreams provide a signature - for the ones that do, I agree, we should use them. But it's at the maintainers to verify that there ARE signatures and use them.
Can you point me to a how-to or some documentation?
The infrastructure is ready - sigs are verified upon submission to Factory and as the package can't change there without a submission, it's gauranteed to stay valid (but can of cource be verified at any given point in time)
See the discussion here: [opensuse-factory] Build service and checksums for source code archive verification https://lists.opensuse.org/opensuse-factory/2016-08/msg00213.html
But coming back to the original scope of the mail - why automatic service runs are not allowed in Factory. I would have expected the whole community of package maintainers to step-up and grill me. Except Björn's comment I saw a mail from Oliver https://lists.opensuse.org/opensuse-factory/2016-08/msg00428.html complaining basically about the same fact.
So, if we dont have hard reasons to give away this nice feature , why cant we enable it by default? Or at least, not complain about it in factory?
For Factory it's a no-go: we have to guarantee that source will never change except by means of a submission from a devel project. With enabled services we risk that any given package might just 'updated to latest git master' (possibly involving user error, but still). You have to understand that any such thing would more than just invalidate the entire staging and pre-integration testing workflows we do.
For git, agree that may be an issue. For the packages I maintain there is a distinct version number, so it does not change 'by chance', only by purpose in the spec-file. I don't see that a service download would do harm
Services can be a great aid - but I don't see them fit in maintaining a project like Tumbleweed.
They can reduce workload dramatically: each supported version of Tryton (currently 6) has around 100 packages, where around 20% of them receive a monthly bugfix, resulting in a new minor version. Only 1 version should go to factory in the future, but the additional effort for local package handling does not really make me happy.... :-( Viele Grüße Axel Braun -- Diese Nachricht wurde von meinem Android-Tablet mit K-9 Mail gesendet. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org