[lsb-discuss] LSB conf call notes for 2008-10-01

[Jeff Licquia]

Attendees: Jeff Licquia, Russ Herrold, Stew Benedict, Ted Tso, Mats
Wichmann, Brian Proffitt, Ron Hale-Evans, Kay Tate, Robert Schweikert,
Dalibor Topic, Alexey Khoroshilov, Jiri Dluhos.

Jeff: new x86-64 box.  Distributions to install on new box?  Alexey:
openSuSE 11.1.  Ted: may want to work with SuSE to get their SLES 11
prerelease, also Red Hat Rawhide.  Mats: SLES 11 is in beta.  Ted:
Fedora.  Should be able to get us access to RHEL 5, asking them what
they'd like tested.  General rule of thumb: Ubuntu, SLES, and RHEL,
current enterprise release, latest community distro, prereleases.  Russ:
those change frequently.  Ted: would like immediate feedback on changes.
 Jeff: can probably get updates.  Ted: ideally, all the distros would
continuously test against latest released stuff.

Jeff: old x86-64 box?  Ted: stability problems?  Mats: only when we ran
the Xen kernel.  Russ: mirror/install archive for local subnet stuff?
Jeff: nervous about changing during the release process; do we have
issues at OSUOSL?  Ted: might have power issues; might be asked to
rotate something out if we deployed something new.  Could be a good
place to deploy test stuff, etc.

Spec builds.  Jeff: fixed?  Mats: yes.  Ted: moving off proprietary
software?  Jeff: bug is there, lower priority unless we run into problems.

SI.  Jeff: being built.  Ted: what machines is he using?  Jeff: his own,
possibly the Novell box.  Ted: will ping re: getting him to use our
infrastructure.  Jeff: could move to the new box.  Ted: also, is the
Novell machine still useful for that?  Let's make sure we're using the
machines as efficiently as possible.

Russ: found some bugs in our scripts regarding missing sigs, also we're
seeing packages getting signed with the wrong keys.  Providing a
passphrase via expect; should make sure we sign the right stuff with the
right keys.  Can't find a statement about which keys the LSB uses.  Not
confident that we can prove that LSB packages are correct and not
corrupted.  Also, signing noarch packages with a key for x86-64
packages, etc.  Why do we need different keys for each autobuilder?
Also, docs for which keys serve which roles.  Key management is probably
bad as well.  Jeff: autobuilder and release key roles separation.  Russ:
keys should be signed by outside people for web-of-trust.  Jeff: use one
key per release role, instead of different keys for different packages?
 Russ: yes.  Mats: yes.  Could also consolidate the autobuilder key to
one.  Russ: three keys, one for autobuilder, one for beta, one for
release.  Mats: there is a master LSB key for signing other keys.  It's
signed by a few people in the keyservers.  Ted: how old is it?  Mats:
old.  Russ: fingerprint?  Mats will dig up and post in IRC.  Ted: should
probably build a formal proposal.  Should also think about regenerating
keys every so often.  Also: how should we protect non-autobuilder keys?
 Russ: communication plan as to announcement of new keys, and security
adjustments.  Ted: maybe not on RH scale, but do need something like
that.  Russ: also, sending gpg errors to /dev/null is bad.  Filed bugs.
 Ted will write the key management proposal.