[users] Why RepoForge RpmForge not available?

David Hrbáč david-lists at hrbac.cz
Mon Sep 23 22:14:59 CEST 2013


Dne 23.9.2013 17:49, Dag Wieers napsal(a):
> It was discussed off-list a few times over the past 3 years. I don't
> mind someone else continuing the repository. My only concern is that
> signing with my key (my name is related to that key) is not an option
> to me if I didn't build and verified the build myself.

Yes, that's true. We have almost everything available to community, but
the build and sign process. I can't sign with your key. What more I DO
not want to. All the credits to you Dag. You did wonderful job for very
long time. I'm to help not to bring you down...

>
> So if the builds move to someone else (or more than one person), it
> should be signed with a different key. At first I didn't want this
> change to be something that happened automatically (as changing trust
> is something that should be a decision).
>
> But since the situation is now probably worse than if David would be
> updating the packages, I am fine with simply making the RPM print a
> message if it moves from the old key to newer keys. So people are
> aware that this change has taken place.
>
> So for me the only thing that I am needed for to make this change happen:
>
>  - Sign the new rpmforge-release package with my key, which includes
>    David's key (or a project key ?)

Packages are signed with my key because I have had the whole infra
already. I do not want to have packages signed with your key nor
someone's else. Packages must be signed with the project key. This is
something I'm planning to have.

>
> (- And paying for the infrastructure ;-))

No, no one wants you to pay for the infra. I can provide the infra free
of charge, plenty of HW.... We do not need a lot of boxes, I guess
something about 5 VMs. We have a fair amout of mirrors all over the world.

>
> David already has access to the main mirror afaik, so in theory he
> could push new packages directly to the main mirror, but without the
> key being distributed in advance this obviously makes no sense.

This is something I did not want to happen. That's why my sidestep with
the updates repo...
>
> BTW In the past the PPC builds were signed exclusively by Fabian, and
> the Fedora/Aurora builds were signed exclusively by Dries. So we
> already allowed some people to sign RPMs, but it was strictly for
> different architectures/releases. We never mixed signing keys for a
> single repository, so you trusted only one person who was responsible
> for the build.
>
> For me that was always very important, because if you install an RPM
> package, you basically trust your complete system to the person that
> created the package ! I have earned that trust by a lot of people, and
> I probably broke that trust by failing to build these updates.
>

Right, take the end user point of view... Six months without the
updates. Damn the updates, I do not care about the bleading edge, but
there are packages with security wholes... This is the point of the
missing updates...

> Although I never promised to keep doing this indefinitely, I also
> never decided to stop doing it, it just happened slowly. Because of
> many things happening around the same time: CentOS burnout, two kids,
> house renovations, freelancing, ... And I don't feel good about this
> situation either, trust me.
>

Dag, I'm the very last to blame you.

Thanks,
DH


More information about the users mailing list