[Dev] [Monthy tech talk] December 2014

Michał Masłowski mtjm at mtjm.eu
Sun Dec 7 19:59:48 GMT 2014

>    - If packagers:
>      - That's a lot more work, and I think encourages people to be
>        sloppy.

I believe we should aim for packages not being built by packagers on
their systems.

>    - If autobuilder:
>      - I think that this hugely increases the risk of releasing a
>        broken package, if there isn't human intervention.  Right
>        now[1], autobuilder is only used for extremely simple packages.

Can we detect enough broken packages automatically?  (Other distros run
tests after the build.)  We had no testing on mips64el, we still have no
testing for interactions between Arch and Parabola packages.

>      - How do we handle signing?  Do we pass through the sigs of Arch
>        developers in any way?

Have one key for all packages, make the build server sign the packages
that it gets?  Use developer keys only for packages sent to the build
server?  (This is needed to fix the usual missing key issues.)

>      - Where would it run?  That would be a lot of load to put on the
>        main server.
>        - We could build a job server, where a packager has a daemon
>          that gets jobs from the main server, and runs them locally.
>          That makes signing more complex (each dev needs 2 keys; one
>          for normal builds, one for autobuilder builds), and means
>          way more code to be written.

This looks too complex, while it won't be simpler with e.g. two central
build servers (or one that is easy to replace).
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 818 bytes
Desc: not available
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20141207/ff6f3428/attachment.sig>

More information about the Dev mailing list