repoforge / rpms

RepoForge.Org package specifications. This is where you can modify RepoForge.Org packages!
repoforge.org
300 stars 217 forks source link

Add key to rpmforge-release #381

Open davidhrbac opened 7 years ago

davidhrbac commented 7 years ago

@dagwieers can you build for the community the very last rpmforge-release package with a new projeckt key, so we can smoothly transition to the new key? I will provide you with the key. Are you willing to help?

davidhrbac commented 7 years ago

I guess, thaw we can go like this:

dagwieers commented 7 years ago

@davidhrbac Sure, send me the key.

I need to revive my old buildsystem first. It has been down for 2 years, but I don't expect that to be a real issue. So it shouldn't take a lot of time.

PS You don't actually need to resign everything. You can just keep my old key in the new package if you like. But if you prefer to resign, that's fine for me as well. (Resigning means mirrors will have to re-transfer, but it also means that you take responsibility (and trust) of those RPMs that were build by me. And that may be a but weird. That's why we decided to have separate keys for Dries and Fabian, rather than sharing one key for the project.)

davidhrbac commented 7 years ago

@dagwieers as I remember you wanted the project to sort out the issue distributing packages signed by you while not being involved in the project anymore. You were pointing out not to damage your reputation.

davidhrbac commented 7 years ago

@dagwieers I'm OK with providing the packages with original keys if you do not mind. Much easier to manage.

dagwieers commented 7 years ago

@davidhrbac Yes, indeed. I object to handing my singning key to another person so he can sign stuff in my name. In my opinion, people need to consciously agree to trust someone else. I still prefer that. But I did concede eventually to repackage someone else's key if the package and project were changed publicly. Which I hope you intend to do.

BTW I might still help out from time to time if that is permitted, because I do still have the need for packages myself. But I don't have the time to run the complete project like I did years ago.

dagwieers commented 7 years ago

So, again, where is that public key you want me to package ?

davidhrbac commented 7 years ago

@dagwieers that's my opinion too. We do not want your signing key. We will continue to provide the packages signed by you.

As of now I do not have the proper key. I need to create a new one. We have the testing one http://repository.it4i.cz/mirrors/repoforge/RPM-GPG-KEY-RepoForge-Test-Key-1

I will provide you with another one, OK?

dagwieers commented 7 years ago

Ok. Send it to me by mail :-)

davidhrbac commented 7 years ago

Just for the record:Keys have been sent by email now.

http://repository.it4i.cz/mirrors/repoforge/RPM-GPG-KEY-RepoForge-Sign-Key-1 http://repository.it4i.cz/mirrors/repoforge/RPM-GPG-KEY-RepoForge-Test-Key-1

chris001 commented 7 years ago

If I may make a suggestion, I think it'd be a very good thing to add @dagwieers contact info to the repoforge.org / .com / .net domain records, as one of the contact persons, Dag would be an emergency backup admin. The idea is that two people is always better than one, in case @davidhrbac is unavailable for some time, maybe an emergency happens, or whatever. It'd be extremely rare and unlikely but it'd be for the best to ensure the continuity of the repo for the global community.

davidhrbac commented 7 years ago

@chris001 yes I do not want to be the only one. That's something we have to sort out. Anyway, firstly we need to transfer the domains. We have still not moved repoforge.net.

zyv commented 7 years ago

I can serve as a fallback unless there are better candidates (if Dag wouldn't want to). I have very little time these days, but I will be able to scramble something to help in case of emergency.

gene1wood commented 6 years ago

Once someone (@dagwieers or @davidhrbac ) can produce a new signed version of rpmforge-release with the new signing keys added, then the deprecated apt.sw.be domain can be updated to a working domain.

Has there been any progress on updating rpmforge-release with the new key?

davidhrbac commented 6 years ago

First attempt 82e29d5def2823523ac2c472c0a6620b0d774d40. Not sure how big is RepoForge community...

gene1wood commented 6 years ago

@davidhrbac Thanks! So from this point does @dagwieers need to sign and publish this new version of rpmforge-release after which point you can sign packages and DAG is off the hook?

davidhrbac commented 6 years ago

@gene1wood no @dagwieers is not in the play anymore... Testing release is here http://mirror.it4i.cz/repoforge_test/rpmforge-release/

davidhrbac commented 6 years ago

RepoForge used to be one of the important repositories for CentOS/RHEL. I know that RepoForge is considered to be clinically dead nowadays. On the other hand RepoForge is still physically alive.

We would like to harness community opinion on RepoForge status and future. In case that you use or used to use the RepoForge I kindly ask you to fill up this form to help us with the decision.

The form is here: https://goo.gl/forms/4SLFnD16K4yJeitt2