migrate upstream repositories from OBS
The OBS infrastructure has some serious issues, some of which are security related.
The mirrors can get weirdly out of sync, which can cause a different file size / checksums in downloaded repository metadata (
Packages file for debian) and the downloaded package. This issue has been observed by our users.
The packages are also downloaded over http, because not all the mirrors support https. Users have complained about this on the mailing list.
Overall, OBS may be suitable for testing and automation, but the official upstream packages should be somewhere more reliable. I propose to use the same approach as Knot DNS to be more consistent.
Features we want:
- supported distributions
- Debian (9), 10+
- Ubuntu (16.04), 18.04, 20.04, latest rolling?
- Fedora - all supported
- CentOS 7, 8
- openSUSE - Leap 15.x
- Arch is a bonus
- supported architectures
- aarch64 ?
- armv7 ?
- control over build root dependencies (e.g. using a newer/older Knot DNS)
- possibility to use multiple repositories (latest, testing, ...)
- re-builds if distribution packages/dependencies change?
- non-public repositories for security releases for customers?