From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 6740510031426355200 X-Received: by 2002:a5d:4f11:: with SMTP id c17mr9535537wru.227.1569412606615; Wed, 25 Sep 2019 04:56:46 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com Received: by 2002:a1c:cb8f:: with SMTP id b137ls1598600wmg.1.canary-gmail; Wed, 25 Sep 2019 04:56:46 -0700 (PDT) X-Google-Smtp-Source: APXvYqwPxbG2DA0fL6lxBYflI0jCIHAXsNiD2EU/8aCEdOW0XVb2vSI9qyRFvmO1oUMoNd0kqAhV X-Received: by 2002:a7b:cf33:: with SMTP id m19mr7638400wmg.143.1569412606204; Wed, 25 Sep 2019 04:56:46 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1569412606; cv=none; d=google.com; s=arc-20160816; b=mbEiTmjehXV+RDlPz6/I5epy0H3N3rsXbjb4uTmnVEggPqINtP24vGHKfruV2Qrzzk AQGhHCzCxncJLKbKqiKW3MyvqlWZJzsMVNIeXGemeS7hrz0gcgsmOxzT+ut/mLDlR3oS 5W7OP/BnW6TNOjZIJCWvv7RYwruSO/tDBD/0c5IguUbRAQl5tUZL1tQ3a7k6QRyYlg5I xBwOveaVovl1znrSYHAG/imf5mhlsx9UrrKQbwuolGuqrs91UJdHM7k8Ky3qdajdOX53 E5XfCQQ9oV7GF+Osa6FyYcZgqXJisms2XlrTk5kYjfieANN21FtEt3NtSdxCZ7qaBPdY xL8g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:mime-version:user-agent:date:message-id:openpgp:from :references:to:subject; bh=BKt4ucpjUid4EriRPQnR3tVpYh9WPFzUm8Qx0PkYR04=; b=V8PMznrUj3NQ1PflFl2t1eF6cdauRSd1tpUZf0xJZlXwLmiL8oB422MGZoSSR8PLuv H4yArNDRkRrMqqpiIHOb7wzESoqnYXbFfKgsfww1TxehDTOpkjum3/GRnNzd0QOGr72n Y9Nbc7lQjUQrz+plBBajnkFF3TYw6++UsdwVGGueCurLmjSMZdBErpGUq6UrgoeYgONG bn5sM5Zpfx9byMZunstC/+urGM8e4NgZ00edFWbG6DeOYytjP5uVlEQMqihuNJy/9pPe 8nw7EMPZCO7GVZZsbeJKrnKHa9MFM1T3DkhzH4I+XYZXwh0NHyPH4FRB1ZkzbBtB55SM +M5w== ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=neutral (google.com: 212.18.0.9 is neither permitted nor denied by best guess record for domain of ch@denx.de) smtp.mailfrom=ch@denx.de Return-Path: Received: from mail-out.m-online.net (mail-out.m-online.net. [212.18.0.9]) by gmr-mx.google.com with ESMTPS id u15si163393wmc.1.2019.09.25.04.56.46 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 25 Sep 2019 04:56:46 -0700 (PDT) Received-SPF: neutral (google.com: 212.18.0.9 is neither permitted nor denied by best guess record for domain of ch@denx.de) client-ip=212.18.0.9; Authentication-Results: gmr-mx.google.com; spf=neutral (google.com: 212.18.0.9 is neither permitted nor denied by best guess record for domain of ch@denx.de) smtp.mailfrom=ch@denx.de Received: from frontend01.mail.m-online.net (unknown [192.168.8.182]) by mail-out.m-online.net (Postfix) with ESMTP id 46dc3d6tYFz1rMkH for ; Wed, 25 Sep 2019 13:56:45 +0200 (CEST) Received: from localhost (dynscan1.mnet-online.de [192.168.6.70]) by mail.m-online.net (Postfix) with ESMTP id 46dc3d6nzTz1qqkW for ; Wed, 25 Sep 2019 13:56:45 +0200 (CEST) X-Virus-Scanned: amavisd-new at mnet-online.de Received: from mail.mnet-online.de ([192.168.8.182]) by localhost (dynscan1.mail.m-online.net [192.168.6.70]) (amavisd-new, port 10024) with ESMTP id FuzNd00ail70 for ; Wed, 25 Sep 2019 13:56:45 +0200 (CEST) X-Auth-Info: JNIQziNVAXV+TgYcz9ISKUOtFdk/IuiGykG6QBZL82s= Received: from deneb.denx.de (p578adb1c.dip0.t-ipconnect.de [87.138.219.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.mnet-online.de (Postfix) with ESMTPSA for ; Wed, 25 Sep 2019 13:56:45 +0200 (CEST) Subject: Re: Discussion: Base-apt features To: isar-users@googlegroups.com References: <20190925074122.GA12490@lightning> <20190925102607.cpvf6wurb4orwigx@yssyq.m.ilbers.de> From: Claudius Heine Openpgp: id=6FF2E59F00C6BC2831D864C11173CB199808B153; url=http://pool.sks-keyservers.net/pks/lookup?op=get&search=0x1173CB199808B153 Message-ID: <5e7ef571-512e-f033-6c94-e7f8beaec469@denx.de> Date: Wed, 25 Sep 2019 13:56:37 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.7.0 MIME-Version: 1.0 In-Reply-To: <20190925102607.cpvf6wurb4orwigx@yssyq.m.ilbers.de> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="myPB1wIdcab6cOd7mlYW90CyHXwkWobyE" X-TUID: 5VRLKNVYIG3M This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --myPB1wIdcab6cOd7mlYW90CyHXwkWobyE Content-Type: multipart/mixed; boundary="2tSj1sxu661wCltHYsD4Z4gedodJvOwEx"; protected-headers="v1" From: Claudius Heine To: isar-users@googlegroups.com Message-ID: <5e7ef571-512e-f033-6c94-e7f8beaec469@denx.de> Subject: Re: Discussion: Base-apt features References: <20190925074122.GA12490@lightning> <20190925102607.cpvf6wurb4orwigx@yssyq.m.ilbers.de> In-Reply-To: <20190925102607.cpvf6wurb4orwigx@yssyq.m.ilbers.de> --2tSj1sxu661wCltHYsD4Z4gedodJvOwEx Content-Type: text/plain; charset=utf-8 Content-Language: en-MW Content-Transfer-Encoding: quoted-printable Hi Baurzahn, On 25/09/2019 12.26, Baurzhan Ismagulov wrote: > Hello Claudius, >=20 > On Wed, Sep 25, 2019 at 12:14:19PM +0200, Claudius Heine wrote: >>> 2. Support for using password protected keys. >> >> There are two use-cases for base-apt AFAIK: Use it to distribute a >> repository to the end user and for reproducible/offline build. >> >> I agree that for the former having a password protected key for signin= g >> the repo would be good. For the latter use-case though that might get >> cumbersome. >> >> Maybe we should split this use-case and have something different for >> reproducible/offline build? >=20 > This is my understanding. I see all of the following as required: >=20 > 1. Unsgined base-apt > 2. Signed base-apt w/o passphrase > 3. Signed base-apt w/passphrase Right. It would just be inconvenient to switch between those configurations for the different use cases that should be satisfiable simultaneously without change of configuration files or deleting build results. I am currently not using Isar, but is something like this possible? BASE_REPO_KEY =3D "" bitbake ... BASE_REPO_KEY =3D "prod.key" bitbake ... Meaning it should first create the base-apt without key and on the second command just sign the repo with the 'prod.key' (and possible ask for password, hardware key or what not). This would allow for a 2-stage process, first building and testing and second signing the repo to signify that everything was tested and works. >=20 >=20 >> Also 'base-apt' is a bad name... >=20 > Like with isar-apt, it was difficult to find a short and intuitive one.= Do you > have a suggestion? >=20 >=20 >>> 4. Support for adding packages only to base-apt. >> >> If the base-apt should be used for distributing packages to the >> end-user, it might also be useful to exclude certain packages. >=20 > Could you give an example? After that is a copy of Debian, what is your= > concern? Two departments of the same company, one that develops debian bin and possible src packages and deploys them to a internal repo for other departments to use, and the other department that takes these packages and installs them to an image for the customer. Those packages are not build by isar then and would be placed in the base-apt repo together with the src package for delivery to the end-customer, which might not be what was desired. We should probably just check the license and only deliver packages that are required to be redistributed. regards, Claudius --=20 DENX Software Engineering GmbH, Managing Director: Wolfgang Denk HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany Phone: (+49)-8142-66989-54 Fax: (+49)-8142-66989-80 Email: ch@denx.de PGP key: 6FF2 E59F 00C6 BC28 31D8 64C1 1173 CB19 9808 B153 Keyserver: hkp://pool.sks-keyservers.net --2tSj1sxu661wCltHYsD4Z4gedodJvOwEx-- --myPB1wIdcab6cOd7mlYW90CyHXwkWobyE Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEb/LlnwDGvCgx2GTBEXPLGZgIsVMFAl2LVfUACgkQEXPLGZgI sVPOvg/+L6afqUShnqZwS4ld6OPcwnSUqZXuyZ8EWYoKkdFK6wSXMnjNKguJ97hb TUG9GTtHJxilSMO39x1E7KuCVoLz3kym0nMtUtaxWp95ZiFZvBtwPrBFMIDrhsfA A4BJTNCEq1OqzQjrxuO9IvHPKi9eQUb3Cb+uQD+w5x/SV4SlGrcZWm5tT0KVsLrg RoQNjEMC/ibFy1dhflMonB/bF8B9ATaBk/Ax1LQZ+XVZTpRSq02zw+XdaV9QQ51M aiuTEEooaC3stkkj1S/IyZHwhOysRS64XLtE8iR3n5g0OYoFD4KshdVuIU9uDwEG M8fej5fJW2YxpKAu1tbyapwZKK6BT77RcumXTZKyiLA/0mRpzi6o+7Vqa4rjo+jh soiUL6mF2UeeVukndIXU1kA/YnOHiIMxbq3/o2H3I+eJxtQUIYDS4GdnTqcAp3Pt BuTe9sX0dopfgqlMaknGlvA11T/kqfufqfdvRcAIAWMzWGQUSdfk16TZR8uFGIwe VUzBIVenjx1BUi3HnIQFJ60+iD2H7V+Z6kaR9n9zAIWEkJM7Mnub3LWi+dPNSs68 1iQg971cxwEGSRDp72OWFblcV5oJHTYpQxwF+x0P0ImstQLZauja8Dc3tgSwJadd dB9uw8sUehkHm87Gfvk4lvvGH4Dnd7BIIH+vWoyoN6b7Fs5KItQ= =y/sU -----END PGP SIGNATURE----- --myPB1wIdcab6cOd7mlYW90CyHXwkWobyE--