Sent from my iPhone

> On Dec 7, 2013, at 8:29 PM, Ben Bullard <[email protected]> wrote:
> 
> Point # 1.
> 
> Obviously I'm on QA team. Why am I finding packages in update repos that QA 
> team has not vetted? That is our job period end of discussion. 
> 
> NO packages are to go to update repos without QA approval. Is this hard to 
> understand? 
> 

You are describing a fragile QA
process that breaks when expedient process short-cuts are taken.

Meanwhile there are no "BAD" signatures, there are packages appearing that are 
_NOT_ signed
with the "official" key according
to policy.

Each and every report of "BAD" signatures forces me (because that is a 
potential security level problem in RPM) forces me to repeat exactly this 
response.

Fix your process please: these reports are coming in predictably every few 
months.

> Point # 2.
> 
> Is it policy that packages in restricted are unsigned? If so I see massive 
> public relations problem. And I mean a huge problem. Currently all or most 
> are unsigned. Please correct me if I'm seeing this issue incorrectly. 
> 

Again, THERE ARE NO UNSIGNED PACKAGES. It is not possible to use rpmbuild from 
@rpm5.org without producing a automagically signed package.

> To define the problem how would we inform users of such policy. It isn't 
> workable IMOH.
> 
> Be I not mistaken all packages in OpenMandriva repos must be signed or 
> removed from said repository. 
> 
> Am I misinformed?
> 

No but you need to focus on what the 
problem actually is, using the correct vocabulary, before the process problem 
will be repaired.

> And I'm willing to do the research to correct this issue. 
> 

Good.

hth

73 de Jeff
> -- 
> Thanks,
> Ben
> -------------------------
> OM-QA mailing list
> [email protected]
> http://ml.openmandriva.org/listinfo.cgi/om-qa-openmandriva.org
> 


Reply via email to