Dne 23.9.2013 17:49, Dag Wieers napsal(a): > It was discussed off-list a few times over the past 3 years. I don't > mind someone else continuing the repository. My only concern is that > signing with my key (my name is related to that key) is not an option > to me if I didn't build and verified the build myself.
Yes, that's true. We have almost everything available to community, but the build and sign process. I can't sign with your key. What more I DO not want to. All the credits to you Dag. You did wonderful job for very long time. I'm to help not to bring you down... > > So if the builds move to someone else (or more than one person), it > should be signed with a different key. At first I didn't want this > change to be something that happened automatically (as changing trust > is something that should be a decision). > > But since the situation is now probably worse than if David would be > updating the packages, I am fine with simply making the RPM print a > message if it moves from the old key to newer keys. So people are > aware that this change has taken place. > > So for me the only thing that I am needed for to make this change happen: > > - Sign the new rpmforge-release package with my key, which includes > David's key (or a project key ?) Packages are signed with my key because I have had the whole infra already. I do not want to have packages signed with your key nor someone's else. Packages must be signed with the project key. This is something I'm planning to have. > > (- And paying for the infrastructure ;-)) No, no one wants you to pay for the infra. I can provide the infra free of charge, plenty of HW.... We do not need a lot of boxes, I guess something about 5 VMs. We have a fair amout of mirrors all over the world. > > David already has access to the main mirror afaik, so in theory he > could push new packages directly to the main mirror, but without the > key being distributed in advance this obviously makes no sense. This is something I did not want to happen. That's why my sidestep with the updates repo... > > BTW In the past the PPC builds were signed exclusively by Fabian, and > the Fedora/Aurora builds were signed exclusively by Dries. So we > already allowed some people to sign RPMs, but it was strictly for > different architectures/releases. We never mixed signing keys for a > single repository, so you trusted only one person who was responsible > for the build. > > For me that was always very important, because if you install an RPM > package, you basically trust your complete system to the person that > created the package ! I have earned that trust by a lot of people, and > I probably broke that trust by failing to build these updates. > Right, take the end user point of view... Six months without the updates. Damn the updates, I do not care about the bleading edge, but there are packages with security wholes... This is the point of the missing updates... > Although I never promised to keep doing this indefinitely, I also > never decided to stop doing it, it just happened slowly. Because of > many things happening around the same time: CentOS burnout, two kids, > house renovations, freelancing, ... And I don't feel good about this > situation either, trust me. > Dag, I'm the very last to blame you. Thanks, DH _______________________________________________ users mailing list [email protected] http://lists.repoforge.org/mailman/listinfo/users
