[opensuse-factory] Re: in-toto opensuse demo
Hi. I just realized this fell in my backlog pretty badly. I spoke with kbabioch on Monday (cced now), I was hoping to pick this up sometime soon. Sadly, we are running low on manpower, so we could use some help if anyone is willing on your side... Sorry again for the radio silence. Thanks! -Santiago. On Tue, Jul 25, 2017 at 05:22:51PM -0400, Santiago Torres wrote:
On Tue, Jul 25, 2017 at 11:06:25PM +0200, Adrian Schröter wrote:
On Dienstag, 25. Juli 2017, 22:57:51 CEST wrote Santiago Torres: ...
1. We were envisioning the actual obs deployment to authenticate checkouts using an opensuse-held key and signing in-toto link metadata. Similar to how push-certs/tags/evtags work for git.
Projects have their own keys usually, so it may make sense to use these instead of a global key (which exists also)?
Yeah, that sounds reasonable. Sorry I still need to read more on the specifics of OSC/OBS.
2. Likewise, it'd be good to authenticate builds/packages that were produced with obs (in the same way it is done today). We were thinking that this would be possible to add as an output option for a build result. It could be as simple as using our wrapper to wrap the rpmbuild step on the obs scripts folder as a first stab at the issue.
you could have a buildtime source service which is processing the sources before running rpmbuild. Please note that files like spec files might still get modified during build here.
http://openbuildservice.org/help/manuals/obs-reference-guide/cha.obs.source_...
Oh, thanks for the heads up. I think this would also need some review from our side too.
3. We agree that probably integrating in-toto signing for link metadata on the developer side may be easier to do using an osc plugin. Is there a repository for such plugins? or how are they usually distributed?
Usually each plugin has it's own repository. The factory maintainers have this one for example:
Also noted. This sounds like a reasonable way to go.
Thanks! -Santiago.
participants (1)
-
Santiago Torres