[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

SB: signing service questions


Thank you all for participating in the SB sprint.
I am writing this email to clarify the current status of the signing service and to discuss some things that were not clear.

Current state of the signing service:
- We successfully tested signing and preparing the source package for shim, fwupdate and linux kernel (we didn't tested grub)
- We didn't test submitting the package with dput thought
- We didn't test integration with dak
- We have an audit log where we log all the files that are being signed (this table grows forever)

Things I want to discuss/clarify:
- State table (incomplete/failed/signed/submitted):
We didn't implemented the way it was written in the etherpad, we started discussing this on Sunday but some people had already left. * We decided to not remove anything from the table, so we can save the error messages and leave the history there. QUESTION: should we remove them as we previously discussed (removing older versions)? Or letting it grow forever is ok?
  * Our current table is composed by:

  	id = Column(Integer, primary_key=True)
  	ts = Column(DateTime, default=datetime.datetime.now)
  	template_package_name = Column(String)
  	template_package_version = Column(String)
  	state = Column(String(64), nullable=False)
  	error_msg = Column(String) # empty if state is not "failed"
  	suite = Column(String)
  	architecture = Column(String)

* We still don't have a counter to save how many time we failed (this is a TODO), the idea is to notify when we failed more the X times. * We are not (re)signing a package if it has the same [template_package_name, template_package_version, architecture, suite], and has "failed" or "submitted" state (but we need to change that to consider how many times we failed) NOTE: we ignore the archive, because the packages submitted to security-master are submitted to dak again to ftp-master latter, and we don't want to sign the package twice QUESTION: shouldn't we drop the suite as well? Or is it possible to have different packages in the same suite with the same package+version+architecture? When a package migrate from unstable to testing does it goes through dak again? When a package gets uploaded from security-master to ftp-master is the suite always the same? QUESTION: can't we drop the architecture as well? The architecture is already part of the name of the template package no? Well, doesn't hurt to leave it there thought

Thanks again

Reply to: