Patch Set 1:
> The latest idea from I have is to reuse CE ISO idea on all ISOs we
> have. On CE ISO we have main.sh which mirror deployment.sh into ISO
> in moment of building. I believe we must do the same things for
> keyring there and do not wget it at all. it should be a part of
> Sipwise ISO. As we do not change keys for already released reelases
> it should be safe.
>
> What do you think?
Sounds good.
What about the worst case scenario that our key(s) leak and we have to resign with new key for existing releases? Just do that and provide updated deployment ISO with new keyring package?
The deployment ISO supports installation of different releases and we have different keys for some of our repositories (so not all of them share the same key), should the deployment.sh script then just look at the correct place on the ISO, depending on the release?
(No objection questions, just to clarify the procedure.)
Patch-set: 1
Patch Set 1: Code-Review+1
basically LGTM to go this way. Please prepare something we can test before merging, I can help you with testing here.
> Well, I'd prefer something more secure...
The latest idea from I have is to reuse CE ISO idea on all ISOs we have. On CE ISO we have main.sh which mirror deployment.sh into ISO in moment of building. I believe we must do the same things for keyring there and do not wget it at all. it should be a part of Sipwise ISO. As we do not change keys for already released reelases it should be safe.
What do you think?
Patch-set: 1
Patch Set 1: Code-Review+1
(2 comments)
Giving +1 since its intentions are fine for me and to not be a blocker by any means, needs bugfix as noted by Alex.
Patch-set: 1
Uploaded patch set 1.
Patch-set: 1
Change-id: I374d131205cc4e9e837dae05d090649c1c80f802
Subject: MT#20141 Use the keyring from the ngcp-keyring package
Branch: refs/heads/master
Commit: 05eb86ed94
Groups: 05eb86ed94
Guillem Jover
Alexander Lutay
Michael Prokop
Jenkins Jenkins