You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Based on http://www.eessi.io/docs/getting_access/native_installation/ and looking at the cvmfs-config-eessi RPM, it looks like you have designed it to coexist with the cvmfs-config-default package. We did the same with our cvmfs-config-computecanada package and this makes sense in some ways and is convenient (providing access to all the CERN, OSG, EGI etc repos). However, our config package also installs a config file which overrides the default config repo to ours:
Although that is the standard default behaviour of CVMFS, if you want to fully avoid the security implications of using a config repo and want to provide an easy way for sites to use EESSI repos only, without any config repo, you could make a new package based on cvmfs-config-eessi (maybe call it cvmfs-config-eessi-standalone) and add the "cvmfs-config" RPM capability, like cvmfs-config-default has:
This would cause cvmfs-config-eessi-standalone to replace and conflict with cvmfs-config-default so the latter would not need to be installed and no config repo would be active. (CVMFS requires the 'cvmfs-config' capability but I think the idea was that organizations could provide this via their own config package if they want to avoid using the default config repo.)
This is assuming that cvmfs-config-eessi directly provides all the config required to access EESSI repos, but I see there are also EESSI config/keys in /cvmfs/cvmfs-config.cern.ch so not sure if that is the case.
Based on http://www.eessi.io/docs/getting_access/native_installation/ and looking at the cvmfs-config-eessi RPM, it looks like you have designed it to coexist with the cvmfs-config-default package. We did the same with our cvmfs-config-computecanada package and this makes sense in some ways and is convenient (providing access to all the CERN, OSG, EGI etc repos). However, our config package also installs a config file which overrides the default config repo to ours:
Without that, in the EESSI installation you get the default that comes with cvmfs-config-default.rpm:
Although that is the standard default behaviour of CVMFS, if you want to fully avoid the security implications of using a config repo and want to provide an easy way for sites to use EESSI repos only, without any config repo, you could make a new package based on cvmfs-config-eessi (maybe call it cvmfs-config-eessi-standalone) and add the "cvmfs-config" RPM capability, like cvmfs-config-default has:
This would cause cvmfs-config-eessi-standalone to replace and conflict with cvmfs-config-default so the latter would not need to be installed and no config repo would be active. (CVMFS requires the 'cvmfs-config' capability but I think the idea was that organizations could provide this via their own config package if they want to avoid using the default config repo.)
This is assuming that cvmfs-config-eessi directly provides all the config required to access EESSI repos, but I see there are also EESSI config/keys in /cvmfs/cvmfs-config.cern.ch so not sure if that is the case.
Related: cvmfs/cvmfs#3542
The text was updated successfully, but these errors were encountered: