Re: Emdebian auto-signing
I can't really follow what you're writing very good.
With "buildd" do you mean what we run, or the thing you do
to generate your new files? Maybe sometimes one, sometimes
the other?
How the auto signing works for our buildds is that after the build
the generated files are moved from the chroot to the "build"
directory (as it has always done), but then signs it with the key
specificied in the config file (if any) and after signing it
moves it to the upload directory. And then we have a cron job
doing the actual uploads.
We need to generate the keys on the buildd and then add them to
a file on ftp-master, which then gets added to a special keyring.
ftp-master has rules on which machines are allowed to have such keys,
and things like that.
I think you really need to talk to ftp-master about all this.
Kurt
On Sat, Oct 01, 2011 at 12:42:16PM +0100, Neil Williams wrote:
> I'm working on Emdebian Integration [0] which will be using
> post-processing to take packages uploaded by the buildds, remove
> documentation and make other architecture-neutral changes, add a
> version suffix and upload to the equivalent Emdebian suite. unstable
> goes to unstable-grip etc.
>
> I've got a question on how to arrange the GnuPG signing key which will
> be used to sign the .changes files generated by the process using the
> data from ries.
>
> ries: crontab generates a file, pushes that file to the buildd via SSH.
>
> buildd: downloads packages for multiple architectures, post-processes
> them for Emdebian (adding the em1 version suffix, removing docs etc.)
> and generates a series of .changes files suitable for upload to the
> Emdebian suites (${suite}-grip, e.g. unstable-grip etc.).
>
> ftp-master: receives the (smaller) packages with an em1 version suffix
> targeted at the Emdebian suite, populates the suite and updates
> projectb using dak so that the script on ries can use that data in
> subsequent queries.
>
> The buildd I'm thinking of using is www.emdebian.org which is a virtual
> server hosted by bytemark, sponsored by toby-churchill.com.
>
> What is involved in autosigning the .changes files for uploads from
> this machine? Is it easier to adapt the buildd process to use one of
> the existing amd64 buildd machines to run the Emdebian code (which is
> many times faster than the equivalent package build)? If a different
> machine is preferred, I'll adapt the emdebian-grip package in Debian to
> prepare a minimal version which only has the dependencies needed for
> the emgrip task itself. (dpkg-dev, devscripts {without recommends},
> debhelper and patchutils {for dscextract}). If that's easier to manage
> in a chroot, that's fine but it doesn't explicitly need a chroot.
>
> I will need to set up an SSH connection to push the data file to
> www.emdebian.org anyway to allow testing and initial setup.
>
> I want to check if we should actually be using a different server or
> whether autosigning involves requirements for access to the emdebian.org
> machine and whether that is as an ordinary user just for the buildd
> process or full access. I need to check with work before granting
> access to the current machine. Is the signing separate from the buildd
> process? If it is, does that involve copying the entire upload or just
> the .changes file & .dsc?
>
> Thanks for you help with this.
>
> [0] http://wiki.debian.org/EmdebianIntegration
> [1] http://wiki.debian.org/EmdebianIntegration#Mechanisms
>
>
> --
>
>
> Neil Williams
> =============
> http://www.linux.codehelp.co.uk/
>
Reply to: