[users] Why RepoForge RpmForge not available?

Dag Wieers dag at wieers.com
Mon Sep 23 17:49:38 CEST 2013


On Mon, 23 Sep 2013, Nico Kadel-Garcia wrote:

> Let us know if there's anything we can do to help out, or help get package
> updates flowing into RPMforge again.

It was discussed off-list a few times over the past 3 years. I don't mind 
someone else continuing the repository. My only concern is that signing 
with my key (my name is related to that key) is not an option to me if I 
didn't build and verified the build myself.

So if the builds move to someone else (or more than one person), it should 
be signed with a different key. At first I didn't want this change to be 
something that happened automatically (as changing trust is something that 
should be a decision).

But since the situation is now probably worse than if David would be 
updating the packages, I am fine with simply making the RPM print a 
message if it moves from the old key to newer keys. So people are aware 
that this change has taken place.

So for me the only thing that I am needed for to make this change happen:

  - Sign the new rpmforge-release package with my key, which includes
    David's key (or a project key ?)

(- And paying for the infrastructure ;-))

David already has access to the main mirror afaik, so in theory he could 
push new packages directly to the main mirror, but without the key being 
distributed in advance this obviously makes no sense.

BTW In the past the PPC builds were signed exclusively by Fabian, and the 
Fedora/Aurora builds were signed exclusively by Dries. So we already 
allowed some people to sign RPMs, but it was strictly for different 
architectures/releases. We never mixed signing keys for a single 
repository, so you trusted only one person who was responsible for the 
build.

For me that was always very important, because if you install an RPM 
package, you basically trust your complete system to the person that 
created the package ! I have earned that trust by a lot of people, and I 
probably broke that trust by failing to build these updates.

Although I never promised to keep doing this indefinitely, I also never 
decided to stop doing it, it just happened slowly. Because of many things 
happening around the same time: CentOS burnout, two kids, house 
renovations, freelancing, ... And I don't feel good about this situation 
either, trust me.

-- 
-- dag wieers, dag at wieers.com, http://dag.wieers.com/
-- dagit linux solutions, contact at dagit.net, http://dagit.net/

[Any errors in spelling, tact or fact are transmission errors]


More information about the users mailing list