Delays in package processing

Thorsten Leemhuis fedora at leemhuis.info
Thu Dec 20 07:41:24 UTC 2007 

On 20.12.2007 05:39, Michael Schwendt wrote:
> On Wed, 19 Dec 2007 14:55:51 -0500, Tom "spot" Callaway wrote:
>> On Wed, 2007-12-19 at 11:52 -0800, Bryan O'Sullivan wrote:
>>> Is the package signing step done by hand?  That's been my understanding,
>>> but maybe I'm missing something.  It reminds me of Sigourney Weaver's
>>> role in "Galaxy Quest": a seemingly needless insertion of people into
>>> the process.
>>> If so, why?  Can we switch to an automated process?
>> It is currently a manual process, and Jesse Keating has been working for
>> some time to make an open source signing server that will work for
>> Fedora's infrastructure needs but also be useful for anyone.

Just wondering: Is Jesse the only one that does pushes? Maybe we should
give at least one other person access to the signing key?

> A signing-server doesn't fix everything. It may help with the security
> implications of giving away the key password as was done for Extras. But
> hoping for much more frequent or automated pushes of non-critical updates
> would be insane. Releasing new repodata and new packages too often would
> make the repositories a moving target for all mirrors. 

Agreed, but on the other hand there are currently up to four (or even
more) days between pushes afaics (the last one right now for example was
on 15 December 2007):

* for normal updates that's not a problem, but I think four days are a
to long delay for updates that fix security issues.

* I've seen packages where that were requested to updates-testing in
bodhi that were requested to stable just a few days after that -- the
packager afaics had assumed the package had been in the testing repos
for a few days, but in fact it never was as push never happened, so the
package made it straight to the stable repos; doing pushed to testing
more often might make sense

And, BTW, what's exactly the problem with "moving target for all
mirrors"? There were (are?) yum problems iirc (¹), but I suppose we can
fix them if we want?

CU
thl

(¹) -- downloading metadata from one mirror, download error on it,
switching to another mirror that has even new push where the file yum
tries to download is already is gone again

More information about the fedora-devel-list mailing list