abuild issueshttps://gitlab.alpinelinux.org/alpine/abuild/-/issues2024-03-24T16:17:48Zhttps://gitlab.alpinelinux.org/alpine/abuild/-/issues/9016Support GnuPG public keys as an alternative to checksums2024-03-24T16:17:48ZalgitbotSupport GnuPG public keys as an alternative to checksumsSigned packages provide more security than checksums, e.g. in the case
of corrupt mirrors or download sites.
The private key is only owned by the devs or release managers. All users
can use the well known public key to verify their dow...Signed packages provide more security than checksums, e.g. in the case
of corrupt mirrors or download sites.
The private key is only owned by the devs or release managers. All users
can use the well known public key to verify their downloads. As an
additional feature, the key can be fetched from keyservers, so
corrupt/revoked keys will throw an error.
e.g. in the case of nginx:
Fetch B0F4253373F8F6F510D42178520A9993A1C052F8 in the APKBUILD and fetch
the \*.asc together with the tarball/signed git tag.
*(from redmine: issue id 9016, created on 2018-06-16)*https://gitlab.alpinelinux.org/alpine/abuild/-/issues/5999Provide updates in separately2019-07-14T07:28:23ZV KrishnProvide updates in separatelyPlease provide updates in separately for stable/versioned releases.
There a couple of ways of doing this.
I am outlining one that seems simpler than others.
Applies to versioned/stable releases only (not edge)
eg v3.5 builders
to...Please provide updates in separately for stable/versioned releases.
There a couple of ways of doing this.
I am outlining one that seems simpler than others.
Applies to versioned/stable releases only (not edge)
eg v3.5 builders
to what I know if /home/<bulldozer>/packages/…files… are cleaned after
initial release eg.3.5
then providing future updates can be done in following method.
1.
a. make release v3.5
b. move /home/<bulldozer>/packages/…files… to appropriate nl.a.o
c. freeze folder nl.a.o/v3.5/<main|community>
d. delete /home/<bulldozer>/packages/…files…
e. change the upload path in scripts to “nl.a.o/v3.5/updates/v3.5.1”
f. add nl.a.o/v3.5/updates/v3.5.1 to /etc/apk/repositories ( or which
ever base its using ), not needed if still syncing with edge.
g. \`apk update\`
2.
a. create folder nl.a.o/v3.5/updates/v3.5.1/<main|community>
b. for all builds before tagging v3.5.1 push all
/home/<bulldozer>/packages/…files… to appropriate
nl.a.o/v3.5/updates/v3.5.1/
c. freeze folder nl.a.o/v3.5/updates/v3.5.1 after tagging.
3.
a. change the upload path in scripts to “nl.a.o/v3.5/updates/v3.5.2”
b. add nl.a.o/v3.5/updates/v3.5.2 to /etc/apk/repositories
b. repeat …
*(from redmine: issue id 5999, created on 2016-08-03)*