|View Issue Details|
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0014483||Buildsys||community buildsys||public||2018-02-12 14:43||2018-02-12 16:40|
|Summary||0014483: Please GPG sign repository metadata for CBS repositories|
|Description||I've been trying to get the CentOS SIG repositories enabled in the|
openSUSE Build Service.
Last week, I started working with Adrian Schröter (who manages the CentOS configurations on the openSUSE Build Service and is one of the OBS developers and administrators) on getting this done, and the issue right now is that there's
no way to securely validate the repodata.
OBS supports two ways:
1. Validating repodata from a mirror using the copy on the master
server fetched through HTTPS.
2. Validating repodata through GPG-signed repodata (signed repomd.xml)
While the base repositories do the latter, none of the repositories
produced through CBS do, and _nothing_ currently does the former.
Based on discussions with Arrfab on #centos-devel, it seems like it'd make sense to do GPG signing of repodata for all CBS repos automatically.
Can we please have this soon, so that everything can be wired up?
|Additional Information||Reference ML topic: https://lists.centos.org/pipermail/centos-devel/2018-February/016453.html|
openSUSE ticket: https://progress.opensuse.org/issues/29568
|Tags||No tags attached.|
|2018-02-12 14:43||ngompa||New Issue|