On Mon, 23 Sep 2013, Nico Kadel-Garcia wrote:
Let us know if there's anything we can do to help out, or help get package
updates flowing into RPMforge again.
It was discussed off-list a few times over the past 3 years. I don't mind
someone else continuing the repository. My only concern is that signing
with my key (my name is related to that key) is not an option to me if I
didn't build and verified the build myself.
So if the builds move to someone else (or more than one person), it should
be signed with a different key. At first I didn't want this change to be
something that happened automatically (as changing trust is something that
should be a decision).
But since the situation is now probably worse than if David would be
updating the packages, I am fine with simply making the RPM print a
message if it moves from the old key to newer keys. So people are aware
that this change has taken place.
So for me the only thing that I am needed for to make this change happen:
- Sign the new rpmforge-release package with my key, which includes
David's key (or a project key ?)
(- And paying for the infrastructure ;-))
David already has access to the main mirror afaik, so in theory he could
push new packages directly to the main mirror, but without the key being
distributed in advance this obviously makes no sense.
BTW In the past the PPC builds were signed exclusively by Fabian, and the
Fedora/Aurora builds were signed exclusively by Dries. So we already
allowed some people to sign RPMs, but it was strictly for different
architectures/releases. We never mixed signing keys for a single
repository, so you trusted only one person who was responsible for the
build.
For me that was always very important, because if you install an RPM
package, you basically trust your complete system to the person that
created the package ! I have earned that trust by a lot of people, and I
probably broke that trust by failing to build these updates.
Although I never promised to keep doing this indefinitely, I also never
decided to stop doing it, it just happened slowly. Because of many things
happening around the same time: CentOS burnout, two kids, house
renovations, freelancing, ... And I don't feel good about this situation
either, trust me.
--
-- dag wieers, [email protected], http://dag.wieers.com/
-- dagit linux solutions, [email protected], http://dagit.net/
[Any errors in spelling, tact or fact are transmission errors]
_______________________________________________
users mailing list
[email protected]
http://lists.repoforge.org/mailman/listinfo/users
