Re: Discussion: Base-apt features

[Claudius Heine <ch@denx.de>]

[-- Attachment #1.1: Type: text/plain, Size: 2892 bytes --]

Hi Baurzahn,

On 25/09/2019 12.26, Baurzhan Ismagulov wrote:
> Hello Claudius,
> 
> On Wed, Sep 25, 2019 at 12:14:19PM +0200, Claudius Heine wrote:
>>> 2. Support for using password protected keys.
>>
>> There are two use-cases for base-apt AFAIK: Use it to distribute a
>> repository to the end user and for reproducible/offline build.
>>
>> I agree that for the former having a password protected key for signing
>> the repo would be good. For the latter use-case though that might get
>> cumbersome.
>>
>> Maybe we should split this use-case and have something different for
>> reproducible/offline build?
> 
> This is my understanding. I see all of the following as required:
> 
> 1. Unsgined base-apt
> 2. Signed base-apt w/o passphrase
> 3. Signed base-apt w/passphrase

Right. It would just be inconvenient to switch between those
configurations for the different use cases that should be satisfiable
simultaneously without change of configuration files or deleting build
results.

I am currently not using Isar, but is something like this possible?

  BASE_REPO_KEY = "" bitbake ...
  BASE_REPO_KEY = "prod.key" bitbake ...

Meaning it should first create the base-apt without key and on the
second command just sign the repo with the 'prod.key' (and possible ask
for password, hardware key or what not). This would allow for a 2-stage
process, first building and testing and second signing the repo to
signify that everything was tested and works.

> 
> 
>> Also 'base-apt' is a bad name...
> 
> Like with isar-apt, it was difficult to find a short and intuitive one. Do you
> have a suggestion?
> 
> 
>>> 4. Support for adding packages only to base-apt.
>>
>> If the base-apt should be used for distributing packages to the
>> end-user, it might also be useful to exclude certain packages.
> 
> Could you give an example? After that is a copy of Debian, what is your
> concern?

Two departments of the same company, one that develops debian bin and
possible src packages and deploys them to a internal repo for other
departments to use, and the other department that takes these packages
and installs them to an image for the customer. Those packages are not
build by isar then and would be placed in the base-apt repo together
with the src package for delivery to the end-customer, which might not
be what was desired.

We should probably just check the license and only deliver packages that
are required to be redistributed.

regards,
Claudius

-- 
DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-54 Fax: (+49)-8142-66989-80 Email: ch@denx.de

           PGP key: 6FF2 E59F 00C6 BC28 31D8 64C1 1173 CB19 9808 B153
                             Keyserver: hkp://pool.sks-keyservers.net


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]