[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Time to resurrect multi-key signatures in RPM?



On Wed, Aug 27, 2008 at 5:52 AM, Bojan Smojver <bojan rexursive com> wrote:
> Well, just because we base our build comparisons right now on something as crude
> as raw checksums, doesn't mean this has to be like that forever. We may find
> ways of comparing builds differently to determine if they were compromised, by
> explicitly excluding well known differences within binaries.

How about you back up and just work on this very specific problem of
deterministically doing build comparisons across disparate build
systems ..before we even begin to discuss how a multiple sigantory
process which relies on that.

> I didn't say SUSE or Ubuntu folks would have to build Fedora packages on their
> build systems, just their build farms (i.e. machines). Isn't koji open source?
> If it is, they could run that just fine.

They would have to choose to run koji, instead of their own setups.
I'm not going to hold my breath on that.  If you were going to lobby
them to use koji, you should start with OpenSuse and help them
integrate the features they need into the koji base.  Even if the
multiple signatory idea does not pan out, having OpenSuse as koji user
and contributor would be great.

-jef


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]