Hi Gordan.
I prefer to use my Sigul signing system. I can secure the sigul server more than it is today (with firewall, selinux, audit and so on, disconnect from internet). On 13-11-2016 16:54, Gordan Bobic wrote: > On 13/11/16 15:07, Bjarne Saltbæk wrote: >> Hi Jacco. >> >> >> On 12-11-2016 17:59, Gordan Bobic wrote: >>> On 12/11/16 14:59, Jacco Ligthart wrote: >>>> Hi All, >>>> >>>> I started building RedSleeve 7.3. There probably won't be a release >>>> before Centos 7.3 is officially released. That said, I've got a fairly >>>> decent set of rpms build by now. I did not test any on install yet >>>> (other than dependencies for build) >>>> >>>> To be able to sync the results to you, I need to cleanup some disk >>>> space >>>> here. >>>> @Gordon, could you stop syncing RSEL6 stuff? I'm not working on >>>> this any >>>> more and don't expect to any time soon. >>> >>> ACK. Removed all the EL6 related cronjobs. I'll try to make an effort >>> to tidy and deduplicate the packages in the EL6 tree so there is a >>> clean set for any future work anybody wants to undertake on it. >>> >>> Speaking of which - any volunteers for future EL6 maintenance? >> >> Me me :) > > Well volunteered. :) > >> I sort of stopped working on EPEL6 and started workining on EL6 >> after Jacco announced his withdraw. My Koji instance has build all the >> packages Jacco build + I patched some more :) - you might want to check >> my git repo if you have some EL7 packages you cant get to compile as >> well ;) > > Would you be willing to populate the github repo, and switch to > working from that? It will probably be easier to collaborate using a > github repo. > >> I have not signed the EL6 packages yet with a public key, only with my >> testing key. But since we have no QA's i can just sign them with another >> one. > > Since you are now officially the RSEL6 maintainer, I'm thinking just > use your own RSEL6 signing key, just please make sure you keep it safe. > > When I say keep it safe, I mean safe from being stolen, i.e. air > gapped when you are not actively signing the packages after a build run. > > Don't keep it _too_ safe, though - I had the original key on a USB > stick and I put it in a safe - only to find that the USB stick's flash > data retention was poor enough that the data on it did not survive a > year in the safe (yes, NAND does that, I recently discovered that even > many proper SATA SSDs are only rated for 1 year of unpowered data > retention). > > The best idea I have come up with thus far is to convert the key to a > big QR code, and print it out - then put the printed out copy in the > safe. To retrieve it, use a webcam on the signing machine to read it > back. > > Gordan > _______________________________________________ > users mailing list > [email protected] > https://lists.redsleeve.org/mailman/listinfo/users _______________________________________________ users mailing list [email protected] https://lists.redsleeve.org/mailman/listinfo/users
