incubator-bigtop-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Shahaf <...@daniel.shahaf.name>
Subject Re: Fwd: Re: An ASF yum repository?
Date Sat, 25 Feb 2012 02:14:49 GMT
Roman Shaposhnik wrote on Fri, Feb 24, 2012 at 17:40:12 -0800:
> On Fri, Feb 24, 2012 at 4:59 PM, Bruno Mahé <bmahe@apache.org> wrote:
> >>   2. The items with "missing sigs" mentioned in the checker page
> >>      belong to some package repo you publish. It is clear that,
> >>      according to the rules, these packages must be signed, or
> >>      removed.
> >>
> >>   Regards,
> >>
> >>   HPP
> >>
> >
> > Sure, since Roman was the release manager I guess he will have to sign
> > every single file.
> > I just opened the following ticket:
> > https://issues.apache.org/jira/browse/BIGTOP-421
> 
> I'm totally willing to make repositories signed. However, that won't stop the
> script from complaining.
> 
> Will it be possible to satisfy apache infra requirements with signed
> apt/yum/zypper repos?

Yes.  The point is that releases must be cryptographically signed and
verifiable.  Signing the .asc files in the apt trees DOES NOT guarantee
that.  Signing the releases in the method specific to apt trees does.

Follow the policy, not the scripts that implement it.

> Linux distributions have been using this
> mechanism to guarantee
> authenticity of distributed artifacts for at least 7 years by now and I'm pretty
> sure it has passed the test of time as far as infosec policies are concerned.
> 
> Henk, what's your take on this?
> 
> Thanks,
> Roman.

Mime
View raw message