On Mon, Apr 16, 2018 at 12:32 PM, Jonathan Dieter <jdie...@gmail.com> wrote:
> On Mon, 2018-04-16 at 09:00 -0400, Neal Gompa wrote:
>> On Mon, Apr 16, 2018 at 8:47 AM, Jonathan Dieter <jdie...@gmail.com> wrote:
>> > I've also added zchunk support to createrepo_c (see
>> > https://github.com/jdieter/createrepo_c), but I haven't yet created a
>> > pull request because I'm not sure if my current implementation is the
>> > best method.  My current effort only zchunks primary.xml, filelists.xml
>> > and other.xml and doesn't change the sort order.
>> >
>> Fedora COPR, Open Build Service, Mageia, and openSUSE also append
>> AppStream data to repodata to ship AppStream information. Is there a
>> way we can incorporate this into zck rpm-md? There's been an issue for
>> a while to support generating the AppStream metadata as part of the
>> createrepo_c run using the libappstream-builder library[1], which may
>> lend itself to doing this properly.
> Is it repomd.xml that actually gets changed or primary.xml /
> filelists.xml / other.xml?
> If it's repomd.xml, then it really shouldn't make any difference
> because I'm not currently zchunking it.  As far as I can see, the only
> reason to zchunk it would be to have an embedded GPG signature once
> they're supported in zchunk.

repomd.xml is being changed, so it should be fine, then. It'd be nice
to be able to chunk up AppStream data eventually, though.

>> > The one area of zchunk that still needs some API work is the download
>> > and chunk merge API, and I'm planning to clean that up as I add zchunk
>> > support to librepo.
>> >
>> > Some things I'd still like to add to zchunk:
>> >  * A python API
>> >  * GPG signatures in addition to (possibly replacing) overall data
>> >    checksum
>> I'd rather not lose checksums, but GPG signatures would definitely be
>> necessary, as openSUSE needs them, and we'd definitely like to have
>> them in Fedora[2], COPR[3], and Mageia[4].
> Fair enough.  Would we want zchunk to support multiple GPG signatures
> or is one enough?

Historically, we've used only one GPG key because that's what we do
with RPMs, but technically you can specify multiple keys in a .repo
file for Yum, DNF, and Zypper to use for validating packages and
metadata, so it's absolutely possible to have more. I'd probably
suggest if it's not too difficult, supporting multiple signatures.

真実はいつも一つ!/ Always, there's only one truth!
infrastructure mailing list -- infrastructure@lists.fedoraproject.org
To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org

Reply via email to