Delays in package processing
Michael Schwendt
mschwendt.tmp0701.nospam at arcor.de
Thu Dec 20 04:39:23 UTC 2007
On Wed, 19 Dec 2007 14:55:51 -0500, Tom "spot" Callaway wrote:
>
> On Wed, 2007-12-19 at 11:52 -0800, Bryan O'Sullivan wrote:
>
> > Is the package signing step done by hand? That's been my understanding,
> > but maybe I'm missing something. It reminds me of Sigourney Weaver's
> > role in "Galaxy Quest": a seemingly needless insertion of people into
> > the process.
> >
> > If so, why? Can we switch to an automated process?
>
> It is currently a manual process, and Jesse Keating has been working for
> some time to make an open source signing server that will work for
> Fedora's infrastructure needs but also be useful for anyone.
A signing-server doesn't fix everything. It may help with the security
implications of giving away the key password as was done for Extras. But
hoping for much more frequent or automated pushes of non-critical updates
would be insane. Releasing new repodata and new packages too often would
make the repositories a moving target for all mirrors. The updates
repository is continuously flooded with version upgrades, which move
farther away from the tested gold release of the distribution only to
break due to new bugs, which then require further updates.
More information about the fedora-devel-list
mailing list