On Wed, Dec 22, 2021 at 12:00 PM 'Michael Ströder' via Ansible Project <[email protected]> wrote: > > On 12/22/21 17:33, Michael Ströder wrote: > > Is it possible to make ansible-galaxy invoke 'git verify-tag' with a > > locally configured GPG public key on tags specified as version: in > > requirements.yml? > > Hmm, seems there is no such thing yet: > > https://github.com/ansible/proposals/issues/36 > > How does ansible users here deal with ansible collections/roles pulled > from remote resources? Just trust that nobody tampered with the software > repos?
For Red Hat based systems, I use RPMs. Fedora publishes some of them as SRPMs, and I've built up some wrappers to build them alongside the oversized bundle that is now "ansible". Bundling them individually allows some flexibility not available with the oversized "ansible" bundle: see https://github.com/nkadel/ansiblerepo/ for my work. > As a work-around it would be possible for git-based resources to use > > git clone ... > git verify-tag ... > > and then let ansible-galaxy load collections/roles from the locally > pulled git repo. > > Opinions? > > Ciao, Michael. > > -- > You received this message because you are subscribed to the Google Groups > "Ansible Project" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ansible-project/ce9a45f0-458e-32aa-5b5b-c03e3de68c6d%40stroeder.com. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAOCN9rx2BJhuzzEr_FK_vUJTtBtQeEjGbrjnsei_6K%2Bz%3D_w0Qg%40mail.gmail.com.
