2018-02-19 13:55 UTC

View Issue Details Jump to Notes ]
IDProjectCategoryView StatusLast Update
0014483Buildsyscommunity buildsyspublic2018-02-12 16:40
Reporterngompa 
PrioritynormalSeverityfeatureReproducibilityN/A
StatusnewResolutionopen 
Summary0014483: Please GPG sign repository metadata for CBS repositories
DescriptionI've been trying to get the CentOS SIG repositories enabled in the
openSUSE Build Service.

Last week, I started working with Adrian Schröter (who manages the CentOS configurations on the openSUSE Build Service and is one of the OBS developers and administrators) on getting this done, and the issue right now is that there's
no way to securely validate the repodata.

OBS supports two ways:

1. Validating repodata from a mirror using the copy on the master
server fetched through HTTPS.

2. Validating repodata through GPG-signed repodata (signed repomd.xml)

While the base repositories do the latter, none of the repositories
produced through CBS do, and _nothing_ currently does the former.

Based on discussions with Arrfab on #centos-devel, it seems like it'd make sense to do GPG signing of repodata for all CBS repos automatically.

Can we please have this soon, so that everything can be wired up?
Additional InformationReference ML topic: https://lists.centos.org/pipermail/centos-devel/2018-February/016453.html

openSUSE ticket: https://progress.opensuse.org/issues/29568
TagsNo tags attached.
Attached Files

-Relationships
+Relationships

-Notes
There are no notes attached to this issue.
+Notes

-Issue History
Date Modified Username Field Change
2018-02-12 14:43 ngompa New Issue
+Issue History