Best way to sign packages before adding to the repos?

Chris Weyl chris.weyl at gmail.com
Fri Nov 18 15:08:31 UTC 2005 

On 11/16/05, Dan Williams <dcbw at redhat.com> wrote:
> The way Fedora Extras does it right now, there's a cron job or something
> that pushes the built RPMs to the real repository directory and signs
> them at that point.
>
> If you want to use the repository the build server dumps built RPMs
> into, then you can use the repo scripts feature of the build server.
> There's a config option in each target file on the build server which
> accepts a path to the repo script.  That script is run after RPMs have
> been copied to the repo, and is given with 1 argument": the target
> string for the repo, which takes the form of something like
> "fedora-development-core" or "fedora-extras-4".  You could probably do
> the signing from that script.

Ok, that makes sense; it seems to catch it right before adding it to the repos.

> Some issues to know about repo scripts:  they are called every time
> packages are added to the repository.  That means, if you want to do
> stuff only at certain times, like midnight, you have to do time tracking
> yourself to make sure your script is only called every 24 hours.  Also,
> the build server blocks while the script runs, so it will kill the
> script after 1 hour of runtime to make sure that stuff doesn't block for
> too long.
>
> This part hasn't been too tested or fleshed out, so if you think of
> ideas for improvements, feel free to propose them.

Hmmm...  One thing that comes to mind, is that it would be useful if
as a second & third parameter, the repo_script took the name of the
package, and version-revision-etc that had just been built.  That
could save time, either by avoiding any magic to figure out which one
had just been completed, or by allowing brute-force approaches caused
by not wanting to create said magic:)

Another thing, if the packages have already been added to the local
repos when the build state is "needsign", then what's the point of
that step?  If we go and sign them, then we need to play with the
repos cache/etc to maintain a valid state; if we pull them out and
push them to another (signed/etc) repos, then it's not needed; if we
don't sign them it's not needed.  IMO, it would be far more useful if
packages held in this state weren't actually added to the repos until
after manually "finished".

                                            -Chris

More information about the Fedora-buildsys-list mailing list