On Mon, Apr 16, 2018 at 12:32 PM, Jonathan Dieter jdieter@gmail.com wrote:
On Mon, 2018-04-16 at 09:00 -0400, Neal Gompa wrote:
On Mon, Apr 16, 2018 at 8:47 AM, Jonathan Dieter jdieter@gmail.com wrote:
I've also added zchunk support to createrepo_c (see https://github.com/jdieter/createrepo_c), but I haven't yet created a pull request because I'm not sure if my current implementation is the best method. My current effort only zchunks primary.xml, filelists.xml and other.xml and doesn't change the sort order.
Fedora COPR, Open Build Service, Mageia, and openSUSE also append AppStream data to repodata to ship AppStream information. Is there a way we can incorporate this into zck rpm-md? There's been an issue for a while to support generating the AppStream metadata as part of the createrepo_c run using the libappstream-builder library[1], which may lend itself to doing this properly.
Is it repomd.xml that actually gets changed or primary.xml / filelists.xml / other.xml?
If it's repomd.xml, then it really shouldn't make any difference because I'm not currently zchunking it. As far as I can see, the only reason to zchunk it would be to have an embedded GPG signature once they're supported in zchunk.
repomd.xml is being changed, so it should be fine, then. It'd be nice to be able to chunk up AppStream data eventually, though.
The one area of zchunk that still needs some API work is the download and chunk merge API, and I'm planning to clean that up as I add zchunk support to librepo.
Some things I'd still like to add to zchunk:
- A python API
- GPG signatures in addition to (possibly replacing) overall data checksum
I'd rather not lose checksums, but GPG signatures would definitely be necessary, as openSUSE needs them, and we'd definitely like to have them in Fedora[2], COPR[3], and Mageia[4].
Fair enough. Would we want zchunk to support multiple GPG signatures or is one enough?
Historically, we've used only one GPG key because that's what we do with RPMs, but technically you can specify multiple keys in a .repo file for Yum, DNF, and Zypper to use for validating packages and metadata, so it's absolutely possible to have more. I'd probably suggest if it's not too difficult, supporting multiple signatures.