Sent from my iPhone
> On Dec 7, 2013, at 8:29 PM, Ben Bullard <[email protected]> wrote: > > Point # 1. > > Obviously I'm on QA team. Why am I finding packages in update repos that QA > team has not vetted? That is our job period end of discussion. > > NO packages are to go to update repos without QA approval. Is this hard to > understand? > You are describing a fragile QA process that breaks when expedient process short-cuts are taken. Meanwhile there are no "BAD" signatures, there are packages appearing that are _NOT_ signed with the "official" key according to policy. Each and every report of "BAD" signatures forces me (because that is a potential security level problem in RPM) forces me to repeat exactly this response. Fix your process please: these reports are coming in predictably every few months. > Point # 2. > > Is it policy that packages in restricted are unsigned? If so I see massive > public relations problem. And I mean a huge problem. Currently all or most > are unsigned. Please correct me if I'm seeing this issue incorrectly. > Again, THERE ARE NO UNSIGNED PACKAGES. It is not possible to use rpmbuild from @rpm5.org without producing a automagically signed package. > To define the problem how would we inform users of such policy. It isn't > workable IMOH. > > Be I not mistaken all packages in OpenMandriva repos must be signed or > removed from said repository. > > Am I misinformed? > No but you need to focus on what the problem actually is, using the correct vocabulary, before the process problem will be repaired. > And I'm willing to do the research to correct this issue. > Good. hth 73 de Jeff > -- > Thanks, > Ben > ------------------------- > OM-QA mailing list > [email protected] > http://ml.openmandriva.org/listinfo.cgi/om-qa-openmandriva.org >
