-
Task
-
Resolution: Done
-
Normal
-
None
-
None
QE has a few questions we'd like to answer to understand the scope of both feature and testing work involved.
Currently, we're looking for clarification around these 5 questions:
- Who is responsible for testing the actual verification of collections at install time in the ansible-galaxy component?
- If the API for signature information must be available by January 22, and the tooling consuming this API by May 22, what is the timeline for the rest of the related work in Hub, Controller, and the Installers?
- Can collections have multiple signatures from multiple sources?
- Can synchronization remove signatures from collections?
- Do signatures live inside or outside the artifact tarballs?
For more details, see this document of the current full QE plan for content signing verification: https://docs.google.com/document/d/1ntiSKnA0Xn42cIHq_WvWh3S4cQopOAT4aqDZPWKQtsw/edit#