On Sat, 2014-11-15 at 16:14 +0100, Carlos E. R. wrote:
On 2014-11-15 15:38, Marcus Meissner wrote:
Hi,
I am not entirely happy with removing it from the build.
I hope that the gpg signature is still included with the published rpm, and that you are not talking of removing it. And if included, it should be verified at least one time before publishing, to ensure that it is correct. Ie, gpg not validated -> stop publishing.
Carlos,
There are multiple signatures, so I'm not sure which one you refer to:
- Every RPM is being signed after build and when being published. No
change here
- Some source rpms contain a .keyring and are performing gpg
verification upon build (using gpg_verify).
- The same packages with a ,keyring are also verified by the OBS Source
Validator, when you check it in and again when the package is submitted
to Factory.
The only thing we're advocating to remove is the middle one, where each
'build' is verifying the source signatures; again: AFTER build, the
resulting binary rpms are being signed for publishing.
Some statistics:
# of source packages in Factory : 7658
# of packages in factory with a .keyring file : ~200
# of packages executing gpg_verify during build : ~100
So it's not that this would be an incredibly big impact :)
Cheers,
Dominique
--
Dimstar / Dominique Leuenberger