[Mageia-dev] Will this work for a build system?

[Robert Xu]

On Mon, Sep 27, 2010 at 11:16, R James <upsnag2 at gmail.com> wrote:
> On Mon, Sep 27, 2010 at 5:31 AM, Buchan Milne <bgmilne at multilinks.com> wrote:
>>
>> IMHO, you should also keep the public keys of tarball signers. Please have a
>> look at the samba SPEC file, which does verification of the tarball signature
>> during %prep. In conjunction with the existing build tools (repsys/mdvsys
>> etc.), a single command ('mdvsys update samba xxx') currently (usually)
>> updates and submits the package, and building it at any time validates the
>> source tarball.
>>
>> Actually, I still need to petition other security-sensitive packages which
>> have previously said that tarball signing is irrelevant (due to the problem of
>> first establishing trust of public keys etc.).
>>
> For the initial launch of Mageia, I understand the benefits of having
> a trusted build system in a controlled data center.  Its safe, simple
> and when the initial deployment issues arise, physical access to the
> servers may be required.
>
> However, if a system is devised which allows known/trusted
> contributors to provide good hardware and bandwidth for package
> building, I'd be very willing to participate. :-)

Now, I don't know how Mandriva did its build system, but we will
ALWAYS need physical access to servers. If something goes so terribly
wrong that one has to reinstall the whole freaking OS, that's not
going to help Magiea unless we have access.

Personally, I like either the Koji build system or the openSuSE Build
Service; personally, the OBS sounds better to me, because it can
natively sign packages, submit request system, ACL, cross-compile,
etc.
But then again, that's just me, b/c I use a local instance at home and
I'm used to setting up the OBS from a minimal install.

I've always had trouble setting up Koji... it feels less friendly to me.

There are a great amount of tutorials on en.o.o, so check it out.

-- 
later, Robert Xu