SB: signing service questions
Hello,
Thank you all for participating in the SB sprint.
I am writing this email to clarify the current status of the signing
service and to discuss some things that were not clear.
Current state of the signing service:
- We successfully tested signing and preparing the source package for
shim, fwupdate and linux kernel (we didn't tested grub)
- We didn't test submitting the package with dput thought
- We didn't test integration with dak
- We have an audit log where we log all the files that are being signed
(this table grows forever)
Things I want to discuss/clarify:
- State table (incomplete/failed/signed/submitted):
We didn't implemented the way it was written in the etherpad, we
started discussing this on Sunday but some people had already left.
* We decided to not remove anything from the table, so we can save
the error messages and leave the history there.
QUESTION: should we remove them as we previously discussed (removing
older versions)? Or letting it grow forever is ok?
* Our current table is composed by:
id = Column(Integer, primary_key=True)
ts = Column(DateTime, default=datetime.datetime.now)
template_package_name = Column(String)
template_package_version = Column(String)
state = Column(String(64), nullable=False)
error_msg = Column(String) # empty if state is not "failed"
suite = Column(String)
architecture = Column(String)
* We still don't have a counter to save how many time we failed (this
is a TODO), the idea is to notify when we failed more the X times.
* We are not (re)signing a package if it has the same
[template_package_name, template_package_version, architecture, suite],
and has "failed" or "submitted" state (but we need to change that to
consider how many times we failed)
NOTE: we ignore the archive, because the packages submitted to
security-master are submitted to dak again to ftp-master latter, and we
don't want to sign the package twice
QUESTION: shouldn't we drop the suite as well? Or is it possible to
have different packages in the same suite with the same
package+version+architecture? When
a package migrate from unstable to testing does it goes through dak
again? When a package gets uploaded from security-master to ftp-master
is the suite always the same?
QUESTION: can't we drop the architecture as well? The architecture is
already part of the name of the template package no? Well, doesn't hurt
to leave it there thought
Thanks again
Helen
Reply to: