-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/23/2015 09:49 AM, Stephen John Smoogen wrote: > On 23 September 2015 at 10:31, Matthew Miller > <[email protected]> wrote: >> On Tue, Sep 22, 2015 at 08:45:32PM -0700, Karsten Wade wrote: >>> AIUI, the concern is that what is labeled/supported by the >>> CentOS Project as 'CentOS' needs to go through the CentOS >>> Project QA system. We simply cannot blindly accept builds from >>> outside of the CentOS builders just on say-so. (Compare to >>> RPMfusion et al -- putting that repo in as a default for Fedora >>> users is more than a legal issue, it's a >>> QA/test/build/sign/release issue.) >> >> I can understand that with "out of the family" sources, but with >> Red Hat now sponsoring CentOS as well as Fedora.... can we build >> a better bridge of trust, here? >> > > I thought what Karsten was asking for was "Trust but Verify". They > aren't going to blindly trust RPMs for CentOS more than we are > going to blindly trust RPMs from COPRs in the build system {I think > Copr is a better analogy than RPMfusion as that gets covered in > legal sauce.}. The packages need some sort of testing which would > actually be more than what we have currently in EPEL. {ssssh I > didn't say this.} > > There are multiple ways they can trust but verify. * Rebuild the > package in the CBS system and get their CI to run tests as part of > that. * Run the CI against the packages which depending on how the > CI is intertwined with Koji may be harder than it sounds. * Help > get a similar CI stood up for EPEL and trust those results.
Thanks, yes, this is an accurate explanation of what I meant to say. :) I also haven't talked with KB about this in a while, he's out of pocket for the next few weeks, so it may be a bit until we can get his input. - - Karsten - -- Karsten 'quaid' Wade .^\ CentOS Doer of Stuff http://TheOpenSourceWay.org \ http://community.redhat.com @quaid (identi.ca/twitter/IRC) \v' gpg: AD0E0C41 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlYDE7AACgkQ2ZIOBq0ODEE0ewCePKKKuRTn90ZboHQjuhBaTWE3 m84AnjnljXIkWGYwyJ1d0gjDIbFd4l6q =Fkd4 -----END PGP SIGNATURE----- _______________________________________________ epel-devel mailing list [email protected] https://admin.fedoraproject.org/mailman/listinfo/epel-devel
