perfsonar development work

[Gijs Molenaar <>]

I forgot to say, Sasa will try to take a look at this.



Gijs Molenaar wrote:
> I never talked about this, but it is actually something that should be 
> done. I was trying to do this with Loukik a couple of months ago, but 
> loukik is gone (may he rest in peace).  I don't have the time to do this 
> anymore now, but I thought it would be good to share my idea about this.
>
> To resolve the 'package is not signed' error/warning during package 
> installation from the repository do the following:
>
> 1> let somebody create a perfsonar key email adres ( or 
> whatever) and let this forward to you and other people responsible for 
> security/packages/repository.
>
> 2> Create a PGP key pare with this e-mail
>
> 3> Put the public key on the downloads server
>
> 4> Sign the RPMs and DEBs with the (private) key (see man pages of rpm 
> and dpkg)
>
> 5> Modify installation instructions so that people add the public 
> perfsonar key to their yum/apt config.
>
> For example virtualbox does it like this (www.virtualbox.org) for debian:
> wget -q http://download.virtualbox.org/virtualbox/debian/sun_vbox.asc 
> -O- | sudo apt-key add -
>
> This is also possible for yum.
>
> 5> Put the signed packages in the repository.
>
> 6> Put the key on a _safe_ place and _don't_ lose it or get it compromised.
>
> if this is too difficult to do, or time is too short, you can add the 
> --nogpgcheck option to yum to install the packages anyway, but this is 
> UGLY and not secure.


--
Gijs Molenaar

fingerprint C660 BABA 4B91 4B5C EB60 7739 4385 8ABA 72EE 99CA