perfsonar development work

[Verena Venus <>]

Hi Gijs,

Am Dienstag, 30. September 2008 16:39:07 schrieb Gijs Molenaar:
> I never talked about this, but it is actually something that should be
> done. I was trying to do this with Loukik a couple of months ago, but
> loukik is gone (may he rest in peace).  I don't have the time to do this
> anymore now, but I thought it would be good to share my idea about this.
>
> To resolve the 'package is not signed' error/warning during package
> installation from the repository do the following:
>
> 1> let somebody create a perfsonar key email adres 
> (
>  or
> whatever) and let this forward to you and other people responsible for
> security/packages/repository.
>
> 2> Create a PGP key pare with this e-mail
>
> 3> Put the public key on the downloads server
>
> 4> Sign the RPMs and DEBs with the (private) key (see man pages of rpm
> and dpkg)
>
> 5> Modify installation instructions so that people add the public
> perfsonar key to their yum/apt config.
>
> For example virtualbox does it like this (www.virtualbox.org) for debian:
> wget -q http://download.virtualbox.org/virtualbox/debian/sun_vbox.asc
> -O- | sudo apt-key add -
>
> This is also possible for yum.
>
> 5> Put the signed packages in the repository.
>
> 6> Put the key on a _safe_ place and _don't_ lose it or get it compromised.
>
> if this is too difficult to do, or time is too short, you can add the
> --nogpgcheck option to yum to install the packages anyway, but this is
> UGLY and not secure.

In fact, that's the only way to make it work right now, and I would 
appreciate 
it, if we could get rid of this.

If Sasa is taking care of the PGP stuff it should be no problem to use it for 
this release. I don't think, it is that much time consuming or complicated 
for developers to sign a package :)

Regards,
Verena
-- 
Verena Venus, DFN-Labor
Friedrich-Alexander-Universität Erlangen-Nürnberg
Regionales RechenZentrum Erlangen (RRZE)
Martensstraße 1, 91058 Erlangen, Germany
Tel. +49 9131 85-28738, -28800, Fax +49 9131 302941


www.win-labor.dfn.de