[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [atomic-devel] [CentOS-devel] CentOS Atomic Host SIG Proposal

On 07/28/2014 02:02 AM, Trevor Jay wrote:
> On Fri, Jul 25, 2014 at 06:10:37PM -0400, Jason Brooks wrote:
>> This is just a test image, totally unofficial. I expect the SIG eventually to distribute images with all the sorts of measures you suggest. 
> Fair enough, but could you at amend your posts to allude to signing etc. or to the current state of (in)security? Given you're @redhat and the recent closer relationship between CentOS and Red Hat, you're a community role model whether you want to be or not. :) People don't always have to "do the right thing^TM", but they should at least know when they are in a state of sin. 

if you look at the script, it sets up a signing key that the ostree code
will use, I agree with jason - people should, at this point, be
consuming the scripts to do their own builds and to build confidence in
the system using the centos.org distro content consumed in
built-for-purpose ostree models.

worth noting that the upstream ostree repo target is embedded into the
image that gets shipped from the build process, including the key used
to sign the content.

The way centos keys are now setup, its going to need a bit of work for
me to get that key being used in the sign process for an ostree model,
but am working on it.

if the question is just to shasum the iso/qcow2 and sign that shasum
file, we can certainly do that now ( but it will still contain whatever
key was used at buildtime for the ostree content under the hood - and at
this point it wont be a centos.org key )

Karanbir Singh
+44-207-0999389 | http://www.karan.org/ | twitter.com/kbsingh
GnuPG Key : http://www.karan.org/publickey.asc

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]