[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: [atomic-devel] draft of Every-two-week Fedora Atomic Host change proposal

From: Matthew Miller <mattdm mattdm org>
To: Colin Walters <walters verbum org>
Cc: atomic-devel projectatomic io
Subject: Re: [atomic-devel] draft of Every-two-week Fedora Atomic Host change proposal
Date: Fri, 19 Jun 2015 10:44:34 -0400

On Fri, Jun 19, 2015 at 10:11:41AM -0400, Colin Walters wrote:
> > So, maybe it's better to actually trigger image build on tree compose
> > (iff there's an actual change)?
> Everything should trigger on its inputs IMO and not time.
> For example, images are triggered by tree compose *and* the spin-kickstarts git repo.

*nod* I'll make that change in the schematic.

> > I was thinking that there would be two branches — main and testing. The
> > testing branch would consist of "release + updates + updates-testing".
> > (Possibly in the future this could be updates-bleeding, pulled directly
> > from koji or some Copr with no bodhi step, but I don't want to
> > overcomplicate initially.) 
> We could go a *lot* faster if we dropped the requirement that individual
> RPMs were signed, and relied on signing the tree itself.  That's a major
> time sink in the current process.  (There's ways that could be improved
> obviously too...)

There are advantages in having individual RPMs signed, as well. But,
really in this case, I think we just need to get to signing the ostree
commits (automatically), and document what that signature means: the
tree was built in koji from content either released and signed or
officially built in koji. The current signing process doesn't really
involve much assurance beyond that anyway, since there isn't any
careful inspection.

But, also, what do you think of the general workflow for pulling in
updates I suggested, and for correspondence of releases to commits?

> > One possibility would be a manual trigger for the normally-twoweekly
> > release scan. We should check with the security team, but I'm thinking
> > that for a first pass, we could document the images as not being
> > rebuilt async for security and advising doing an `atomic update`.
> Yeah, a manual trigger should be fine.

I'll draw that in too :)

-- 
Matthew Miller            mattdm mattdm org             <http://mattdm.org/>
Fedora Project Leader  mattdm fedoraproject org  <http://fedoraproject.org/>

References:
- [atomic-devel] draft of Every-two-week Fedora Atomic Host change proposal
  - From: Matthew Miller
- Re: [atomic-devel] draft of Every-two-week Fedora Atomic Host change proposal
  - From: Matthew Miller
- Re: [atomic-devel] draft of Every-two-week Fedora Atomic Host change proposal
  - From: Colin Walters
- Re: [atomic-devel] draft of Every-two-week Fedora Atomic Host change proposal
  - From: Matthew Miller
- Re: [atomic-devel] draft of Every-two-week Fedora Atomic Host change proposal
  - From: Colin Walters

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]