incubator-bigtop-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bruno Mahé <bm...@apache.org>
Subject Fwd: Re: An ASF yum repository?
Date Mon, 27 Feb 2012 20:32:34 GMT
Forwarding to the real bigtop-dev mailing list. There is a typo in the CC.

-------- Original Message --------
Subject: 	Re: An ASF yum repository?
Date: 	Mon, 27 Feb 2012 20:22:11 +0200
From: 	Graham Leggett <minfrin@sharp.fm>
To: 	Steve Loughran <stevel@apache.org>
CC: 	Tony Stevenson <pctony@apache.org>, Apache Infrastructure
<infrastructure@apache.org>, bigtop-dev@apache.org



On 27 Feb 2012, at 6:30 PM, Steve Loughran wrote:

> OK, can we make bigtop the pilot -assuming the fallback is still "if the pilot fails
the beta can still ship with  a signed announcement containing the SHA1 checksums of the files"
-which it is should be
> doing anyway for the sake of completeness.
> 
> What do we need to do here then?
> 
> 1. Collect the keys of everyone who is (or soon plans to be) the RMs for Bigtop; that's
currently Roman Shaposhnik, unless there are other volunteers.
> 
> Roman has keys in the server signed by various ASF people;
> http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0x13971DA39475BD5D
> 
> I'll verify w/ Paolo Castanga that he did the signing; he drops his child off in my street
for school regularly, so an F2F signing is trivial.
> 
> 2. submit this list to -someone- to make it the normative "who can release RPMs to the
release dir"
> 
> 3. Try a pre-release run through to verify that that this works; don't mirror this run;
just check that the chained auth works.
> 
> 4. In the march release, Roman follows the same process, this time the files get mirrored
out.
> 
> One more thing, what should be the process for verifying the artifacts?
> 
> The most rigorous would be for a staging place for the RPMs, and 1+ person does an install
from the staging repo, with only the ASF key on their trust list. A CentOS VM can do this
with ease.

I posted a sample script for this. It scans through a staging directory, checking that the
signature on the RPM is signed by an authorised ASF person, and if so, the RPM is then signed
with the ASF repo key, and then svn moved to it's final resting place in the dist tree, at
which point svnpubsub takes over.

I've also posted a proposed yum--plain.cgi script that gives us the preferred mirror to be
returned for the yum repository, but it changes mirrors.cgi, so I'd like some eyeballs on
that first.

Regards,
Graham
--



Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message