incubator-bigtop-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bruno Mahé <bm...@apache.org>
Subject Re: Fwd: Re: An ASF yum repository?
Date Fri, 24 Feb 2012 21:43:15 GMT
Some questions for our dear mentors:

* Given that we are targeting a release by end of march, is it ok to let
the current convenience artefacts as is but make sure everything will be
signed from now on?

* The previous convenience packages were not signed but the ones for the
coming release will be. That means packages/repositories metadata will
contain a signed checksum of the artefacts. Therefore signing files such
as
incubator/bigtop/bigtop-0.2.0-incubating/repos/ubuntu/pool/contrib/h/hadoop-zookeeper/hadoop-zookeeper_3.3.3.2.orig.tar.gz
wouldn't achieve anything but make the checker script happy since no
user or package management would knows about such signature required by
the checker script. Signing any file to make the checker script happy is
absolutely fine if it is used by Apache infra to ensure files integrity,
but it has be noted no one but package management systems will look at
these tarballs. The only thing looking at these signature will be the
checker script. So as part of the release process, is signing these
tarball for the checker script a requirement?


On 02/24/2012 09:59 AM, Steve Loughran wrote:
>
> Henk says that all the stuff in the repos should be signed, somehow...
>
> -------- Original Message --------
> Subject: Re: An ASF yum repository?
> Date: Fri, 24 Feb 2012 16:08:28 +0100
> From: Henk P. Penning <penning@uu.nl>
> To: Steve Loughran <stevel@apache.org>
> CC: Graham Leggett <minfrin@sharp.fm>, Tony Stevenson
> <pctony@apache.org>,        Apache Infrastructure
> <infrastructure@apache.org>
>
> On Fri, 24 Feb 2012, Steve Loughran wrote:
>
>> Date: Fri, 24 Feb 2012 15:47:48 +0100
>> From: Steve Loughran <stevel@apache.org>
>> To: Graham Leggett <minfrin@sharp.fm>
>> Cc: Tony Stevenson <pctony@apache.org>,
>>     Apache Infrastructure <infrastructure@apache.org>
>> Subject: Re: An ASF yum repository?
>
>   [ ... ]
>
>> Apache Bigtop sticks its artefacts out in the right layout -and
>> mirrors these
>> out to all the mirrors. Provided the directory trees get copied, it's
>> just
>> the signing problem left.
>>
>> http://www.apache.org/dist//incubator/bigtop/stable/repos/
>
> Hi,
>
>   bigtop is distributing unsigned stuff ; see
>
>     http://people.apache.org/~henkp/checker/sig.html#user-rvs
>
>   for instance
>
>
> incubator/bigtop/bigtop-0.2.0-incubating/repos/ubuntu/pool/contrib/h/hadoop-zookeeper/hadoop-zookeeper_3.3.3.2.orig.tar.gz
>
>
>   Can you fix that ?
>
>   Regards,
>
>   Henk Penning
>
> ---------------------------------------------------------   _
> Henk P. Penning, ICT-beta              R Uithof WISK-412  _/ \_
> Faculty of Science, Utrecht University T +31 30 253 4106 / \_/ \
> Budapestlaan 6, 3584CD Utrecht, NL     F +31 30 253 4553 \_/ \_/
> http://people.cs.uu.nl/henkp/          M penning@uu.nl     \_/


Mime
View raw message