Forwarding to the real bigtop-dev mailing list. There is a typo in the CC. -------- Original Message -------- Subject: Re: An ASF yum repository? Date: Mon, 27 Feb 2012 20:22:11 +0200 From: Graham Leggett <[email protected]> To: Steve Loughran <[email protected]> CC: Tony Stevenson <[email protected]>, Apache Infrastructure <[email protected]>, [email protected]
On 27 Feb 2012, at 6:30 PM, Steve Loughran wrote: > OK, can we make bigtop the pilot -assuming the fallback is still "if the > pilot fails the beta can still ship with a signed announcement containing > the SHA1 checksums of the files" -which it is should be > doing anyway for the sake of completeness. > > What do we need to do here then? > > 1. Collect the keys of everyone who is (or soon plans to be) the RMs for > Bigtop; that's currently Roman Shaposhnik, unless there are other volunteers. > > Roman has keys in the server signed by various ASF people; > http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0x13971DA39475BD5D > > I'll verify w/ Paolo Castanga that he did the signing; he drops his child off > in my street for school regularly, so an F2F signing is trivial. > > 2. submit this list to -someone- to make it the normative "who can release > RPMs to the release dir" > > 3. Try a pre-release run through to verify that that this works; don't mirror > this run; just check that the chained auth works. > > 4. In the march release, Roman follows the same process, this time the files > get mirrored out. > > One more thing, what should be the process for verifying the artifacts? > > The most rigorous would be for a staging place for the RPMs, and 1+ person > does an install from the staging repo, with only the ASF key on their trust > list. A CentOS VM can do this with ease. I posted a sample script for this. It scans through a staging directory, checking that the signature on the RPM is signed by an authorised ASF person, and if so, the RPM is then signed with the ASF repo key, and then svn moved to it's final resting place in the dist tree, at which point svnpubsub takes over. I've also posted a proposed yum--plain.cgi script that gives us the preferred mirror to be returned for the yum repository, but it changes mirrors.cgi, so I'd like some eyeballs on that first. Regards, Graham --
