Dne 21. 03. 19 v 13:57 Neal Gompa napsal(a): > Forgive me, but what does sigul do that signd cannot? I'm unaware of > any material differences between the two.
When I started Copr I considered both Sigul and OBS signd. I spent several hours with Mirek Trmač - original author of Sigul and we talked about the pros and cons. It is several years, but IIRC: Sigul allows better isolation. It even has its own transport layer. When you want to generate new private key, the procedure is very strict. (That was cons for Copr as we had to automate this step). No one is using Sigul but Fedora and RHEL. I can even say it is upstream dead, there are only fixes which keep it alive (like Py3 migration). The cons of Sigul is that you must transfer whole file to Sigul, Sigul will sign it and send whole file back. Quite painful for some packages which are several hundred MB big. On the other hand this keeps good track of the files which were signed. OBS Sign get just checksum and sign the file base on the checksum. It is fast. OBS Signd is used by several projects. OBS and Copr are likely the biggest ones. It is documented (Sigul not). And it gets some enhancements over time - the pace is very slow, but better than Sigul. While OBS Signd was designed for OBS it is nicely isolated and can be used as standalone module. My conlusion for Copr was - OBS Signd is secure enough for Copr so we rather cooperate with other distribution on common project rather than keeping alive project with unknown future. Miroslav _______________________________________________ infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org
