Add key to rpmforge-release

[davidhrbac]

@dagwieers can you build for the community the very last rpmforge-release package with a new projeckt key, so we can smoothly transition to the new key? I will provide you with the key. Are you willing to help?

[davidhrbac]

I guess, thaw we can go like this:

• new release of rpmforge-release package containing new signing key, package itself signed with Dag's one
• we will create new package repoforge-release obsoleting rpmforge-release and signed with the new key
• meanwhile I will test to create a new repoforge tree and resign all the packages with the new key so to comfort Dag

[dagwieers]

@davidhrbac Sure, send me the key.

I need to revive my old buildsystem first. It has been down for 2 years, but I don't expect that to be a real issue. So it shouldn't take a lot of time.

PS You don't actually need to resign everything. You can just keep my old key in the new package if you like. But if you prefer to resign, that's fine for me as well. (Resigning means mirrors will have to re-transfer, but it also means that you take responsibility (and trust) of those RPMs that were build by me. And that may be a but weird. That's why we decided to have separate keys for Dries and Fabian, rather than sharing one key for the project.)

[davidhrbac]

@dagwieers as I remember you wanted the project to sort out the issue distributing packages signed by you while not being involved in the project anymore. You were pointing out not to damage your reputation.

[davidhrbac]

@dagwieers I'm OK with providing the packages with original keys if you do not mind. Much easier to manage.

[dagwieers]

@davidhrbac Yes, indeed. I object to handing my singning key to another person so he can sign stuff in my name. In my opinion, people need to consciously agree to trust someone else. I still prefer that. But I did concede eventually to repackage someone else's key if the package and project were changed publicly. Which I hope you intend to do.

BTW I might still help out from time to time if that is permitted, because I do still have the need for packages myself. But I don't have the time to run the complete project like I did years ago.

[dagwieers]

So, again, where is that public key you want me to package ?

[davidhrbac]

@dagwieers that's my opinion too. We do not want your signing key. We will continue to provide the packages signed by you.

As of now I do not have the proper key. I need to create a new one. We have the testing one http://repository.it4i.cz/mirrors/repoforge/RPM-GPG-KEY-RepoForge-Test-Key-1

I will provide you with another one, OK?

[dagwieers]

Ok. Send it to me by mail :-)

[davidhrbac]

Just for the record:Keys have been sent by email now.

http://repository.it4i.cz/mirrors/repoforge/RPM-GPG-KEY-RepoForge-Sign-Key-1 http://repository.it4i.cz/mirrors/repoforge/RPM-GPG-KEY-RepoForge-Test-Key-1

[chris001]

If I may make a suggestion, I think it'd be a very good thing to add @dagwieers contact info to the repoforge.org / .com / .net domain records, as one of the contact persons, Dag would be an emergency backup admin. The idea is that two people is always better than one, in case @davidhrbac is unavailable for some time, maybe an emergency happens, or whatever. It'd be extremely rare and unlikely but it'd be for the best to ensure the continuity of the repo for the global community.

[davidhrbac]

@chris001 yes I do not want to be the only one. That's something we have to sort out. Anyway, firstly we need to transfer the domains. We have still not moved repoforge.net.

[zyv]

I can serve as a fallback unless there are better candidates (if Dag wouldn't want to). I have very little time these days, but I will be able to scramble something to help in case of emergency.

[gene1wood]

Once someone (@dagwieers or @davidhrbac ) can produce a new signed version of rpmforge-release with the new signing keys added, then the deprecated apt.sw.be domain can be updated to a working domain.

Has there been any progress on updating rpmforge-release with the new key?

[davidhrbac]

First attempt 82e29d5def2823523ac2c472c0a6620b0d774d40. Not sure how big is RepoForge community...

[gene1wood]

@davidhrbac Thanks! So from this point does @dagwieers need to sign and publish this new version of rpmforge-release after which point you can sign packages and DAG is off the hook?

[davidhrbac]

@gene1wood no @dagwieers is not in the play anymore... Testing release is here http://mirror.it4i.cz/repoforge_test/rpmforge-release/

[davidhrbac]

RepoForge used to be one of the important repositories for CentOS/RHEL. I know that RepoForge is considered to be clinically dead nowadays. On the other hand RepoForge is still physically alive.

We would like to harness community opinion on RepoForge status and future. In case that you use or used to use the RepoForge I kindly ask you to fill up this form to help us with the decision.

The form is here: https://goo.gl/forms/4SLFnD16K4yJeitt2