Hi Baurzahn, On 25/09/2019 12.26, Baurzhan Ismagulov wrote: > Hello Claudius, > > On Wed, Sep 25, 2019 at 12:14:19PM +0200, Claudius Heine wrote: >>> 2. Support for using password protected keys. >> >> There are two use-cases for base-apt AFAIK: Use it to distribute a >> repository to the end user and for reproducible/offline build. >> >> I agree that for the former having a password protected key for signing >> the repo would be good. For the latter use-case though that might get >> cumbersome. >> >> Maybe we should split this use-case and have something different for >> reproducible/offline build? > > This is my understanding. I see all of the following as required: > > 1. Unsgined base-apt > 2. Signed base-apt w/o passphrase > 3. Signed base-apt w/passphrase Right. It would just be inconvenient to switch between those configurations for the different use cases that should be satisfiable simultaneously without change of configuration files or deleting build results. I am currently not using Isar, but is something like this possible? BASE_REPO_KEY = "" bitbake ... BASE_REPO_KEY = "prod.key" bitbake ... Meaning it should first create the base-apt without key and on the second command just sign the repo with the 'prod.key' (and possible ask for password, hardware key or what not). This would allow for a 2-stage process, first building and testing and second signing the repo to signify that everything was tested and works. > > >> Also 'base-apt' is a bad name... > > Like with isar-apt, it was difficult to find a short and intuitive one. Do you > have a suggestion? > > >>> 4. Support for adding packages only to base-apt. >> >> If the base-apt should be used for distributing packages to the >> end-user, it might also be useful to exclude certain packages. > > Could you give an example? After that is a copy of Debian, what is your > concern? Two departments of the same company, one that develops debian bin and possible src packages and deploys them to a internal repo for other departments to use, and the other department that takes these packages and installs them to an image for the customer. Those packages are not build by isar then and would be placed in the base-apt repo together with the src package for delivery to the end-customer, which might not be what was desired. We should probably just check the license and only deliver packages that are required to be redistributed. regards, Claudius -- DENX Software Engineering GmbH, Managing Director: Wolfgang Denk HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany Phone: (+49)-8142-66989-54 Fax: (+49)-8142-66989-80 Email: ch@denx.de PGP key: 6FF2 E59F 00C6 BC28 31D8 64C1 1173 CB19 9808 B153 Keyserver: hkp://pool.sks-keyservers.net