Hi, > I understood that index based trust is now impemented in APK: > https://gitlab.alpinelinux.org/alpine/apk-tools/-/issues/11008
yep, I've tested that and this part works fine. Although having my QA hat on, there might be probably one missed use case with `apk verify` which is probably not using the package index (yet?) for the verification (as `apk add` does): root@OpenWrt:/tmp# apk verify packages.adb packages.adb: OK root@OpenWrt:/tmp# apk verify 464xlat-13.apk 464xlat-13.apk: UNTRUSTED signature > What else is missing? * ImageBuilder (IB) seems to be broken https://lists.openwrt.org/pipermail/openwrt-devel/2024-September/043186.html * packages CDX SBOMs are missing (we've SBOM only for images x86/64/openwrt-x86-64.bom.cdx.json) * apk version compat in few packages > If on the buildbot side everything is ready to do the switch, then lets > do it as soon as possible I'd say. Yes, buildbot part is prepared, tested and I would say ready for the apk switch. IMO we should really first enable it on the `main` branch and eventually later in `openwrt-24.10` once we're confident, that its release ready (apk itself is release ready, just our integration needs a bit more of testing and love). I've following on my TODO list towards apk switch proposal: 1. Extend GitHub CI action with a test for the ImageBuilder as we're not aware about the current breakage, prevent future regressions, probably continue in https://github.com/openwrt/actions-shared-workflows/pull/5 2. Fix the IB 3. Fix the SBOM generation (perhaps try to QA this part on CI as well?) I'll start with 1. this/next week, hopefully. Cheers, Petr _______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
