Re: [Pulp-dev] Should signing service be associated with Publication or Repository?
On Fri, Mar 20, 2020 at 8:35 AM Neal Gompa wrote: > On Thu, Mar 19, 2020 at 11:14 PM Dennis Kliban wrote: > > > > RPM plugin allows users to define a signing service per repository. All > publications created from repository versions of that repository are signed > with that signing service. > > > > The Debian plugin requires the user to specify the signing service each > time a publication is created. The signing service foreign key is stored > with each publication. > > > > Even though the implementation in Debian requires the user to provide > the service href each time a publication is created, it seems like a > stronger model. The signing service associated with a repository can change > thus making it challenging to keep track of which signing service was used > to create a publication. > > > > We should change the behavior in the RPM plugin before we release this > feature. > > Isn't the reason for the difference that Debian repos only have > repodata signed and not packages? > > I guess technically we could use different GPG keys for each > repository publish, but that would lead to multiple copies of the same > RPM with different data, since the expectation is that both RPMs and > the repodata should be signed for RPM repositories. > > The RPM plugin does not currently provide the ability to sign packages. This discussion is only about singing the metadata. > > -- > 真実はいつも一つ!/ Always, there's only one truth! > > ___ Pulp-dev mailing list Pulp-dev@redhat.com https://www.redhat.com/mailman/listinfo/pulp-dev
Re: [Pulp-dev] Should signing service be associated with Publication or Repository?
On Thu, Mar 19, 2020 at 11:14 PM Dennis Kliban wrote: > > RPM plugin allows users to define a signing service per repository. All > publications created from repository versions of that repository are signed > with that signing service. > > The Debian plugin requires the user to specify the signing service each time > a publication is created. The signing service foreign key is stored with each > publication. > > Even though the implementation in Debian requires the user to provide the > service href each time a publication is created, it seems like a stronger > model. The signing service associated with a repository can change thus > making it challenging to keep track of which signing service was used to > create a publication. > > We should change the behavior in the RPM plugin before we release this > feature. Isn't the reason for the difference that Debian repos only have repodata signed and not packages? I guess technically we could use different GPG keys for each repository publish, but that would lead to multiple copies of the same RPM with different data, since the expectation is that both RPMs and the repodata should be signed for RPM repositories. -- 真実はいつも一つ!/ Always, there's only one truth! ___ Pulp-dev mailing list Pulp-dev@redhat.com https://www.redhat.com/mailman/listinfo/pulp-dev
Re: [Pulp-dev] Should signing service be associated with Publication or Repository?
On Fri, Mar 20, 2020 at 5:45 AM Matthias Dellweg wrote: > Actually Quirin and I have also seen the difference, and we discussed, > we should implement a combination, where you can specify on the > repo-level but override the signing service with each publication. > It is a little more work for a lot more convenience, imho. > And of course it might be nice to see it handled as similarly as > possible in both plugins. > > I like this idea. In both cases though, the signing service foreign key should always be stored with a publication. Is that what you had in mind also? > On Thu, 19 Mar 2020 23:13:23 -0400 > Dennis Kliban wrote: > > > RPM plugin allows users to define a signing service per repository. > > All publications created from repository versions of that repository > > are signed with that signing service. > > > > The Debian plugin requires the user to specify the signing service > > each time a publication is created. The signing service foreign key > > is stored with each publication. > > > > Even though the implementation in Debian requires the user to provide > > the service href each time a publication is created, it seems like a > > stronger model. The signing service associated with a repository can > > change thus making it challenging to keep track of which signing > > service was used to create a publication. > > > > We should change the behavior in the RPM plugin before we release this > > feature. > ___ Pulp-dev mailing list Pulp-dev@redhat.com https://www.redhat.com/mailman/listinfo/pulp-dev
Re: [Pulp-dev] Should signing service be associated with Publication or Repository?
Actually Quirin and I have also seen the difference, and we discussed, we should implement a combination, where you can specify on the repo-level but override the signing service with each publication. It is a little more work for a lot more convenience, imho. And of course it might be nice to see it handled as similarly as possible in both plugins. On Thu, 19 Mar 2020 23:13:23 -0400 Dennis Kliban wrote: > RPM plugin allows users to define a signing service per repository. > All publications created from repository versions of that repository > are signed with that signing service. > > The Debian plugin requires the user to specify the signing service > each time a publication is created. The signing service foreign key > is stored with each publication. > > Even though the implementation in Debian requires the user to provide > the service href each time a publication is created, it seems like a > stronger model. The signing service associated with a repository can > change thus making it challenging to keep track of which signing > service was used to create a publication. > > We should change the behavior in the RPM plugin before we release this > feature. pgpwvfzIiEFIi.pgp Description: OpenPGP digital signature ___ Pulp-dev mailing list Pulp-dev@redhat.com https://www.redhat.com/mailman/listinfo/pulp-dev
[Pulp-dev] Should signing service be associated with Publication or Repository?
RPM plugin allows users to define a signing service per repository. All publications created from repository versions of that repository are signed with that signing service. The Debian plugin requires the user to specify the signing service each time a publication is created. The signing service foreign key is stored with each publication. Even though the implementation in Debian requires the user to provide the service href each time a publication is created, it seems like a stronger model. The signing service associated with a repository can change thus making it challenging to keep track of which signing service was used to create a publication. We should change the behavior in the RPM plugin before we release this feature. ___ Pulp-dev mailing list Pulp-dev@redhat.com https://www.redhat.com/mailman/listinfo/pulp-dev