I believe only option B or C are desirable
since we do want to have cryptographic
traceability of the signing infrastructure

also I agree B is the best option.

ciao

On 11 August 2017 14:08:39 CEST, "Ivan J." <parazyd@???> wrote:
>On Thu, 10 Aug 2017, KatolaZ wrote:
>
>> Hi,
>>
>> as you know, parazyd has setup the new amprolla instance which will
>> provide merged repos for the mirrors. The problem is that the
>instance
>> would need a signing key. Now there are at least a couple of
>> possibilities:
>>
>> a) using the same signing key used by the current amprolla
>> b) using a signing subkey of the current signing key used by amprolla
>> c) having a brand new signing key
>>
>> Option c) is not ideal, since it would require updating
>> devuan-keyring. Please consider that the new amprolla instance is
>> *not* reachable from outside (it will rsync-push the merged repos to
>> pkgmaster.devuan.org, from which the mirrors will pull them down), so
>> it should be a relatively risk-free environment.
>>
>> Once we solve this last issue, we will be ready to test mirrors.
>>
>> How shall we proceed?
>
>Any thoughts on this? I believe any option that is not option a)
>requires an update to devuan-keyring. It's not a bad thing though. For
>manageability, I'd vote for option b) that KatolaZ has listed.