[Pulp-dev] Should signing service be associated with Publication or Repository?

[Dennis Kliban]

On Fri, Mar 20, 2020 at 8:35 AM Neal Gompa <ngompa13 at gmail.com> wrote:

> On Thu, Mar 19, 2020 at 11:14 PM Dennis Kliban <dkliban at redhat.com> wrote:
> >
> > RPM plugin allows users to define a signing service per repository. All
> publications created from repository versions of that repository are signed
> with that signing service.
> >
> > The Debian plugin requires the user to specify the signing service each
> time a publication is created. The signing service foreign key is stored
> with each publication.
> >
> > Even though the implementation in Debian requires the user to provide
> the service href each time a publication is created, it seems like a
> stronger model. The signing service associated with a repository can change
> thus making it challenging to keep track of which signing service was used
> to create a publication.
> >
> > We should change the behavior in the RPM plugin before we release this
> feature.
>
> Isn't the reason for the difference that Debian repos only have
> repodata signed and not packages?
>
> I guess technically we could use different GPG keys for each
> repository publish, but that would lead to multiple copies of the same
> RPM with different data, since the expectation is that both RPMs and
> the repodata should be signed for RPM repositories.
>
> The RPM plugin does not currently provide the ability to sign packages.
This discussion is only about singing the metadata.



>
> --
> 真実はいつも一つ！/ Always, there's only one truth!
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pulp-dev/attachments/20200323/fc86abb1/attachment.htm>