perfsonar development work

[Sasa Cavara <>]

On Tue, Sep 30, 2008 at 05:06:00PM +0200, Verena Venus wrote:
> Hi Gijs,
> 

Hi gang,

Then let get the ball rolling..

> Am Dienstag, 30. September 2008 16:39:07 schrieb Gijs Molenaar:
> > I never talked about this, but it is actually something that should be
> > done. I was trying to do this with Loukik a couple of months ago, but
> > loukik is gone (may he rest in peace).  I don't have the time to do this
> > anymore now, but I thought it would be good to share my idea about this.
> >
> > To resolve the 'package is not signed' error/warning during package
> > installation from the repository do the following:
> >
> > 1> let somebody create a perfsonar key email adres 
> > (
> >  or
> > whatever) and let this forward to you and other people responsible for
> > security/packages/repository.

Nicolas, who should I contact (or you can do it :D) in order to get this 
email 
address created. 

 
(
 as  backup option) sounds good. 

 could be backup option :). after that i can start with PGP stuff :)

take care,

> >
> > 2> Create a PGP key pare with this e-mail
> >
> > 3> Put the public key on the downloads server
> >
> > 4> Sign the RPMs and DEBs with the (private) key (see man pages of rpm
> > and dpkg)
> >
> > 5> Modify installation instructions so that people add the public
> > perfsonar key to their yum/apt config.
> >
> > For example virtualbox does it like this (www.virtualbox.org) for debian:
> > wget -q http://download.virtualbox.org/virtualbox/debian/sun_vbox.asc
> > -O- | sudo apt-key add -
> >
> > This is also possible for yum.
> >
> > 5> Put the signed packages in the repository.
> >
> > 6> Put the key on a _safe_ place and _don't_ lose it or get it 
> > compromised.
> >
> > if this is too difficult to do, or time is too short, you can add the
> > --nogpgcheck option to yum to install the packages anyway, but this is
> > UGLY and not secure.
> 
> In fact, that's the only way to make it work right now, and I would 
> appreciate 
> it, if we could get rid of this.
> 
> If Sasa is taking care of the PGP stuff it should be no problem to use it 
> for 
> this release. I don't think, it is that much time consuming or complicated 
> for developers to sign a package :)
> 
> Regards,
> Verena
> -- 
> Verena Venus, DFN-Labor
> Friedrich-Alexander-Universität Erlangen-Nürnberg
> Regionales RechenZentrum Erlangen (RRZE)
> Martensstraße 1, 91058 Erlangen, Germany
> Tel. +49 9131 85-28738, -28800, Fax +49 9131 302941
> 
> 
> www.win-labor.dfn.de

-- 
Sasa Cavara
[C]roatian [A]cademic and [R]esearch [Net]work
mob: +385-91-1450-222
tel: +385-1-6661-792