On 15-09-25 06:13 AM, Lou Burnard wrote:

According to Sebastian, there is no need for any special key beyond a standard issue GPG one. The problem James was having is due to his trying to do the job *as* Sebastian, which meant he would have needed Sebastian's GPG key. So someone should try to do the task using their own credentials.

If I understand this correctly, this would mean that the existing install base, who explicitly installed Sebastian's key as part of adding the repository (see the instructions here: http://tei.oucs.ox.ac.uk/teideb/), would have to somehow replace the existing key with the new signer's key; or they would have to simply add the new signer's key. If the latter is correct, then the first time someone decided to update their packages, they would see this error: GPG error: [WWW] http://tei.oucs.ox.ac.uk binary/ Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY [new-signer's-key] They'd have to know what that might mean, and where to go to find the new key information. If the new information is prominently on TEI-L and on existing pages such as the above page and the wiki page, then that's no problem. But if we decide (as James and I believe we should) to move the package repo to tei-c.org, then that's an additional problem. This is an approach that I believe might work: 1. Release new packages with the new key both on the original server and on tei-c.org. This forces people to find out information about the new key; at the same time, they can be instructed to remove the old deb repo URL and replace it with the new one. 2. Update the Oxford server page and the wiki with the new information, and post to TEI-L and any other relevant lists with full instructions for switching. 3. After a certain period (a year?) retire the old repo URL so it just stops working. Before we do this, I believe we should undertake a careful review of all the packages and decide which ones we want to continue to maintain; some are clearly obsolete, others don't really seem to be our business, and some may have no purpose beyond obsolete build-server requirements. I'd like to propose putting together a small working group for this, and trying to include some of the actual users of these packages. Cheers, Martin

(If this fails, I do now know Sebastian's key phrase, but obviously it would be better not to use that if we can avoid it)

I passed on Council's best wishes to him as well, of course. He is currently having radiotherapy on a more or less daily basis, but we won't know how effective this has been for another month or so. He has trouble reading, writing, moving, and speaking, but he and his family seem to be coping as well as might be expected.

On 25/09/15 13:41, Martin Holmes wrote:

...

[Sending this again because last time it went to the Brown TEI list.]

Fair enough. I think the number and speed of responses on TEI-L suggests that the packages are used and useful, so we should continue to maintain them. The next question is how many of them and which of them; and how do we manage the transition to a new signing key and a new repository location?

Cheers, Martin

...