SB: signing service questions
Thank you all for participating in the SB sprint.
I am writing this email to clarify the current status of the signing
service and to discuss some things that were not clear.
Current state of the signing service:
- We successfully tested signing and preparing the source package for
shim, fwupdate and linux kernel (we didn't tested grub)
- We didn't test submitting the package with dput thought
- We didn't test integration with dak
- We have an audit log where we log all the files that are being signed
(this table grows forever)
Things I want to discuss/clarify:
- State table (incomplete/failed/signed/submitted):
We didn't implemented the way it was written in the etherpad, we
started discussing this on Sunday but some people had already left.
* We decided to not remove anything from the table, so we can save
the error messages and leave the history there.
QUESTION: should we remove them as we previously discussed (removing
older versions)? Or letting it grow forever is ok?
* Our current table is composed by:
id = Column(Integer, primary_key=True)
ts = Column(DateTime, default=datetime.datetime.now)
template_package_name = Column(String)
template_package_version = Column(String)
state = Column(String(64), nullable=False)
error_msg = Column(String) # empty if state is not "failed"
suite = Column(String)
architecture = Column(String)
* We still don't have a counter to save how many time we failed (this
is a TODO), the idea is to notify when we failed more the X times.
* We are not (re)signing a package if it has the same
[template_package_name, template_package_version, architecture, suite],
and has "failed" or "submitted" state (but we need to change that to
consider how many times we failed)
NOTE: we ignore the archive, because the packages submitted to
security-master are submitted to dak again to ftp-master latter, and we
don't want to sign the package twice
QUESTION: shouldn't we drop the suite as well? Or is it possible to
have different packages in the same suite with the same
a package migrate from unstable to testing does it goes through dak
again? When a package gets uploaded from security-master to ftp-master
is the suite always the same?
QUESTION: can't we drop the architecture as well? The architecture is
already part of the name of the template package no? Well, doesn't hurt
to leave it there thought