perfsonar development work

[Gijs Molenaar <>]

I never talked about this, but it is actually something that should be 
done. I was trying to do this with Loukik a couple of months ago, but 
loukik is gone (may he rest in peace).  I don't have the time to do this 
anymore now, but I thought it would be good to share my idea about this.

To resolve the 'package is not signed' error/warning during package 
installation from the repository do the following:

1> let somebody create a perfsonar key email adres ( or 
whatever) and let this forward to you and other people responsible for 
security/packages/repository.

2> Create a PGP key pare with this e-mail

3> Put the public key on the downloads server

4> Sign the RPMs and DEBs with the (private) key (see man pages of rpm 
and dpkg)

5> Modify installation instructions so that people add the public 
perfsonar key to their yum/apt config.

For example virtualbox does it like this (www.virtualbox.org) for debian:
wget -q http://download.virtualbox.org/virtualbox/debian/sun_vbox.asc 
-O- | sudo apt-key add -

This is also possible for yum.

5> Put the signed packages in the repository.

6> Put the key on a _safe_ place and _don't_ lose it or get it compromised.

if this is too difficult to do, or time is too short, you can add the 
--nogpgcheck option to yum to install the packages anyway, but this is 
UGLY and not secure.


--
Gijs Molenaar

fingerprint C660 BABA 4B91 4B5C EB60 7739 4385 8ABA 72EE 99CA