[Pulp-dev] Should signing service be associated with Publication or Repository?

[Neal Gompa]

On Thu, Mar 19, 2020 at 11:14 PM Dennis Kliban <dkliban at redhat.com> wrote:
>
> RPM plugin allows users to define a signing service per repository. All publications created from repository versions of that repository are signed with that signing service.
>
> The Debian plugin requires the user to specify the signing service each time a publication is created. The signing service foreign key is stored with each publication.
>
> Even though the implementation in Debian requires the user to provide the service href each time a publication is created, it seems like a stronger model. The signing service associated with a repository can change thus making it challenging to keep track of which signing service was used to create a publication.
>
> We should change the behavior in the RPM plugin before we release this feature.

Isn't the reason for the difference that Debian repos only have
repodata signed and not packages?

I guess technically we could use different GPG keys for each
repository publish, but that would lead to multiple copies of the same
RPM with different data, since the expectation is that both RPMs and
the repodata should be signed for RPM repositories.


-- 
真実はいつも一つ！/ Always, there's only one truth!