On Tue, 2009-02-24 at 10:29 -0500, Scott Williams wrote:
Just wanted to start some discussion on this before it gets much
further. Would it be easier at this point to have a build system like
plague or koji, OR just to get us started I could create VMs with the
devel tools for each version to build packages with, which would be
far less complicated to start with.
Either way, any objections to signing packages with a software GPG
key?
~Scott
As for signing with a software GPG key, I think it's fine in principle.
However, to ensure it does not get compromised, I think the key itself
should be passphrase encrypted, so that if even your system is
compromised, the key itself is protected. In fact, if it's encrypted,
then you can even technically send out copies of the encrypted key for
safe keeping, as long as only you know the passphrase. That last part
may be a little out there, though. ;)
As for the build system, unfortunately, I don't have a lot of experience
with such things. I think if we don't get it up now, it'll be a lot
harder to get it going in the future, and, if I'm not mistaken, it would
save us a lot of time in the long run - build systems make these kinds
of things a lot easier, I think.
By the way, any word from FAB? Domain name, etc.?
________________________________________________________________________
Basil Mohamed Gohar
abu_hurayrah(a)hidayahonline.org
www.basilgohar.com